From fb60b4f7b00175f7aa4641fef4bc90f21023d050 Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Wed, 22 Jan 2025 15:09:49 +0100 Subject: [PATCH 1/9] feat: more extension points --- driver/registry.go | 9 + driver/registry_default.go | 20 ++ driver/registry_default_hooks.go | 3 + embedx/config.schema.json | 10 +- internal/client-go/.openapi-generator/FILES | 6 + internal/client-go/README.md | 5 + internal/client-go/api_frontend.go | 302 ++++++++++++++++ internal/client-go/go.sum | 2 + .../model_get_parameters_response.go | 150 ++++++++ internal/client-go/model_provider.go | 337 ++++++++++++++++++ .../model_submit_fedcm_token_body.go | 114 ++++++ ...odel_update_login_flow_with_oidc_method.go | 68 ++-- ...date_registration_flow_with_oidc_method.go | 68 ++-- ...l_update_settings_flow_with_oidc_method.go | 6 +- internal/httpclient/.openapi-generator/FILES | 6 + internal/httpclient/README.md | 5 + internal/httpclient/api_frontend.go | 302 ++++++++++++++++ .../model_get_parameters_response.go | 150 ++++++++ internal/httpclient/model_provider.go | 337 ++++++++++++++++++ .../model_submit_fedcm_token_body.go | 114 ++++++ ...odel_update_login_flow_with_oidc_method.go | 68 ++-- ...date_registration_flow_with_oidc_method.go | 68 ++-- ...l_update_settings_flow_with_oidc_method.go | 6 +- .../strategy/oidc/fedcm/definitions.go | 121 +++++++ selfservice/strategy/oidc/pkce.go | 6 +- selfservice/strategy/oidc/provider_apple.go | 6 +- selfservice/strategy/oidc/provider_config.go | 5 + selfservice/strategy/oidc/provider_google.go | 1 + selfservice/strategy/oidc/provider_netid.go | 44 ++- .../strategy/oidc/provider_test_fedcm.go | 49 +++ .../strategy/oidc/provider_test_fedcm_test.go | 26 ++ selfservice/strategy/oidc/strategy.go | 68 ++-- selfservice/strategy/oidc/strategy_login.go | 42 +-- .../strategy/oidc/strategy_registration.go | 58 +-- .../strategy/oidc/strategy_settings.go | 2 +- selfservice/strategy/oidc/token_verifier.go | 11 + spec/api.json | 224 +++++++++++- spec/swagger.json | 207 ++++++++++- x/router.go | 5 + 39 files changed, 2753 insertions(+), 278 deletions(-) create mode 100644 internal/client-go/model_get_parameters_response.go create mode 100644 internal/client-go/model_provider.go create mode 100644 internal/client-go/model_submit_fedcm_token_body.go create mode 100644 internal/httpclient/model_get_parameters_response.go create mode 100644 internal/httpclient/model_provider.go create mode 100644 internal/httpclient/model_submit_fedcm_token_body.go create mode 100644 selfservice/strategy/oidc/fedcm/definitions.go create mode 100644 selfservice/strategy/oidc/provider_test_fedcm.go create mode 100644 selfservice/strategy/oidc/provider_test_fedcm_test.go diff --git a/driver/registry.go b/driver/registry.go index e284d6f6a6dd..9f0e7cb3cdde 100644 --- a/driver/registry.go +++ b/driver/registry.go @@ -185,6 +185,7 @@ type options struct { extraGoMigrations popx.Migrations replacementStrategies []NewStrategy extraHooks map[string]func(config.SelfServiceHook) any + extraHandlers []NewHandlerRegistrar disableMigrationLogging bool jsonnetPool jsonnetsecure.Pool } @@ -236,6 +237,14 @@ func WithExtraHooks(hooks map[string]func(config.SelfServiceHook) any) RegistryO } } +type NewHandlerRegistrar func(deps any) x.HandlerRegistrar + +func WithExtraHandlers(handlers ...NewHandlerRegistrar) RegistryOption { + return func(o *options) { + o.extraHandlers = handlers + } +} + func Inspect(f func(reg Registry) error) RegistryOption { return func(o *options) { o.inspect = f diff --git a/driver/registry_default.go b/driver/registry_default.go index 464f7881f626..73f0ef14fd8a 100644 --- a/driver/registry_default.go +++ b/driver/registry_default.go @@ -78,6 +78,8 @@ type RegistryDefault struct { ctxer contextx.Contextualizer injectedSelfserviceHooks map[string]func(config.SelfServiceHook) interface{} + extraHandlerFactories []NewHandlerRegistrar + extraHandlers []x.HandlerRegistrar nosurf nosurf.Handler trc *otelx.Tracer @@ -175,6 +177,9 @@ func (m *RegistryDefault) Audit() *logrusx.Logger { } func (m *RegistryDefault) RegisterPublicRoutes(ctx context.Context, router *x.RouterPublic) { + for _, h := range m.ExtraHandlers() { + h.RegisterPublicRoutes(router) + } m.LoginHandler().RegisterPublicRoutes(router) m.RegistrationHandler().RegisterPublicRoutes(router) m.LogoutHandler().RegisterPublicRoutes(router) @@ -198,6 +203,9 @@ func (m *RegistryDefault) RegisterPublicRoutes(ctx context.Context, router *x.Ro } func (m *RegistryDefault) RegisterAdminRoutes(ctx context.Context, router *x.RouterAdmin) { + for _, h := range m.ExtraHandlers() { + h.RegisterAdminRoutes(router) + } m.RegistrationHandler().RegisterAdminRoutes(router) m.LoginHandler().RegisterAdminRoutes(router) m.LogoutHandler().RegisterAdminRoutes(router) @@ -640,6 +648,9 @@ func (m *RegistryDefault) Init(ctx context.Context, ctxer contextx.Contextualize if o.extraHooks != nil { m.WithHooks(o.extraHooks) } + if o.extraHandlers != nil { + m.WithExtraHandlers(o.extraHandlers) + } if o.replaceIdentitySchemaProvider != nil { m.identitySchemaProvider = o.replaceIdentitySchemaProvider(m) @@ -904,3 +915,12 @@ func (m *RegistryDefault) SessionTokenizer() *session.Tokenizer { } return m.sessionTokenizer } + +func (m *RegistryDefault) ExtraHandlers() []x.HandlerRegistrar { + if m.extraHandlers == nil { + for _, newHandler := range m.extraHandlerFactories { + m.extraHandlers = append(m.extraHandlers, newHandler(m)) + } + } + return m.extraHandlers +} diff --git a/driver/registry_default_hooks.go b/driver/registry_default_hooks.go index 73a855daadc5..8b5bfd8bb2a0 100644 --- a/driver/registry_default_hooks.go +++ b/driver/registry_default_hooks.go @@ -60,6 +60,9 @@ func (m *RegistryDefault) HookTwoStepRegistration() *hook.TwoStepRegistration { func (m *RegistryDefault) WithHooks(hooks map[string]func(config.SelfServiceHook) interface{}) { m.injectedSelfserviceHooks = hooks } +func (m *RegistryDefault) WithExtraHandlers(handlers []NewHandlerRegistrar) { + m.extraHandlerFactories = handlers +} func (m *RegistryDefault) getHooks(credentialsType string, configs []config.SelfServiceHook) (i []interface{}) { var addSessionIssuer bool diff --git a/embedx/config.schema.json b/embedx/config.schema.json index 5fcf826f4c2a..d9bb0173605e 100644 --- a/embedx/config.schema.json +++ b/embedx/config.schema.json @@ -460,7 +460,8 @@ "linkedin", "linkedin_v2", "lark", - "x" + "x", + "fedcm-test" ], "examples": ["google"] }, @@ -578,6 +579,13 @@ "type": "string", "enum": ["auto", "never", "force"], "default": "auto" + }, + "fedcm_config_url": { + "title": "Federation Configuration URL", + "description": "The URL where the FedCM IdP configuration is located for the provider.", + "type": "string", + "format": "uri", + "examples": ["https://example.com/config.json"] } }, "additionalProperties": false, diff --git a/internal/client-go/.openapi-generator/FILES b/internal/client-go/.openapi-generator/FILES index 118cf9b06463..eef4b6b4dfe9 100644 --- a/internal/client-go/.openapi-generator/FILES +++ b/internal/client-go/.openapi-generator/FILES @@ -35,6 +35,7 @@ docs/ErrorGeneric.md docs/FlowError.md docs/FrontendAPI.md docs/GenericError.md +docs/GetParametersResponse.md docs/GetVersion200Response.md docs/HealthNotReadyStatus.md docs/HealthStatus.md @@ -70,6 +71,7 @@ docs/OAuth2ConsentRequestOpenIDConnectContext.md docs/OAuth2LoginRequest.md docs/PatchIdentitiesBody.md docs/PerformNativeLogoutBody.md +docs/Provider.md docs/RecoveryCodeForIdentity.md docs/RecoveryFlow.md docs/RecoveryFlowState.md @@ -83,6 +85,7 @@ docs/SessionAuthenticationMethod.md docs/SessionDevice.md docs/SettingsFlow.md docs/SettingsFlowState.md +docs/SubmitFedcmTokenBody.md docs/SuccessfulCodeExchangeResponse.md docs/SuccessfulNativeLogin.md docs/SuccessfulNativeRegistration.md @@ -160,6 +163,7 @@ model_error_flow_replaced.go model_error_generic.go model_flow_error.go model_generic_error.go +model_get_parameters_response.go model_get_version_200_response.go model_health_not_ready_status.go model_health_status.go @@ -193,6 +197,7 @@ model_o_auth2_consent_request_open_id_connect_context.go model_o_auth2_login_request.go model_patch_identities_body.go model_perform_native_logout_body.go +model_provider.go model_recovery_code_for_identity.go model_recovery_flow.go model_recovery_flow_state.go @@ -206,6 +211,7 @@ model_session_authentication_method.go model_session_device.go model_settings_flow.go model_settings_flow_state.go +model_submit_fedcm_token_body.go model_successful_code_exchange_response.go model_successful_native_login.go model_successful_native_registration.go diff --git a/internal/client-go/README.md b/internal/client-go/README.md index 97593523117a..76576250b664 100644 --- a/internal/client-go/README.md +++ b/internal/client-go/README.md @@ -95,6 +95,7 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**DisableMyOtherSessions**](docs/FrontendAPI.md#disablemyothersessions) | **Delete** /sessions | Disable my other sessions *FrontendAPI* | [**DisableMySession**](docs/FrontendAPI.md#disablemysession) | **Delete** /sessions/{id} | Disable one of my sessions *FrontendAPI* | [**ExchangeSessionToken**](docs/FrontendAPI.md#exchangesessiontoken) | **Get** /sessions/token-exchange | Exchange Session Token +*FrontendAPI* | [**GetFedcmParameters**](docs/FrontendAPI.md#getfedcmparameters) | **Get** /self-service/fed-cm/parameters | Get FedCM Parameters *FrontendAPI* | [**GetFlowError**](docs/FrontendAPI.md#getflowerror) | **Get** /self-service/errors | Get User-Flow Errors *FrontendAPI* | [**GetLoginFlow**](docs/FrontendAPI.md#getloginflow) | **Get** /self-service/login/flows | Get Login Flow *FrontendAPI* | [**GetRecoveryFlow**](docs/FrontendAPI.md#getrecoveryflow) | **Get** /self-service/recovery/flows | Get Recovery Flow @@ -104,6 +105,7 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**GetWebAuthnJavaScript**](docs/FrontendAPI.md#getwebauthnjavascript) | **Get** /.well-known/ory/webauthn.js | Get WebAuthn JavaScript *FrontendAPI* | [**ListMySessions**](docs/FrontendAPI.md#listmysessions) | **Get** /sessions | Get My Active Sessions *FrontendAPI* | [**PerformNativeLogout**](docs/FrontendAPI.md#performnativelogout) | **Delete** /self-service/logout/api | Perform Logout for Native Apps +*FrontendAPI* | [**SubmitFedcmToken**](docs/FrontendAPI.md#submitfedcmtoken) | **Post** /self-service/fed-cm/token | Submit a FedCM token *FrontendAPI* | [**ToSession**](docs/FrontendAPI.md#tosession) | **Get** /sessions/whoami | Check Who the Current HTTP Session Belongs To *FrontendAPI* | [**UpdateLoginFlow**](docs/FrontendAPI.md#updateloginflow) | **Post** /self-service/login | Submit a Login Flow *FrontendAPI* | [**UpdateLogoutFlow**](docs/FrontendAPI.md#updatelogoutflow) | **Get** /self-service/logout | Update Logout Flow @@ -160,6 +162,7 @@ Class | Method | HTTP request | Description - [ErrorGeneric](docs/ErrorGeneric.md) - [FlowError](docs/FlowError.md) - [GenericError](docs/GenericError.md) + - [GetParametersResponse](docs/GetParametersResponse.md) - [GetVersion200Response](docs/GetVersion200Response.md) - [HealthNotReadyStatus](docs/HealthNotReadyStatus.md) - [HealthStatus](docs/HealthStatus.md) @@ -193,6 +196,7 @@ Class | Method | HTTP request | Description - [OAuth2LoginRequest](docs/OAuth2LoginRequest.md) - [PatchIdentitiesBody](docs/PatchIdentitiesBody.md) - [PerformNativeLogoutBody](docs/PerformNativeLogoutBody.md) + - [Provider](docs/Provider.md) - [RecoveryCodeForIdentity](docs/RecoveryCodeForIdentity.md) - [RecoveryFlow](docs/RecoveryFlow.md) - [RecoveryFlowState](docs/RecoveryFlowState.md) @@ -206,6 +210,7 @@ Class | Method | HTTP request | Description - [SessionDevice](docs/SessionDevice.md) - [SettingsFlow](docs/SettingsFlow.md) - [SettingsFlowState](docs/SettingsFlowState.md) + - [SubmitFedcmTokenBody](docs/SubmitFedcmTokenBody.md) - [SuccessfulCodeExchangeResponse](docs/SuccessfulCodeExchangeResponse.md) - [SuccessfulNativeLogin](docs/SuccessfulNativeLogin.md) - [SuccessfulNativeRegistration](docs/SuccessfulNativeRegistration.md) diff --git a/internal/client-go/api_frontend.go b/internal/client-go/api_frontend.go index 97266e9c4c94..2faad9a5bd32 100644 --- a/internal/client-go/api_frontend.go +++ b/internal/client-go/api_frontend.go @@ -394,6 +394,20 @@ type FrontendAPI interface { */ ExchangeSessionTokenExecute(r FrontendAPIApiExchangeSessionTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) + /* + * GetFedcmParameters Get FedCM Parameters + * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiGetFedcmParametersRequest + */ + GetFedcmParameters(ctx context.Context) FrontendAPIApiGetFedcmParametersRequest + + /* + * GetFedcmParametersExecute executes the request + * @return GetParametersResponse + */ + GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) + /* * GetFlowError Get User-Flow Errors * This endpoint returns the error associated with a user-facing self service errors. @@ -637,6 +651,23 @@ type FrontendAPI interface { */ PerformNativeLogoutExecute(r FrontendAPIApiPerformNativeLogoutRequest) (*http.Response, error) + /* + * SubmitFedcmToken Submit a FedCM token + * Use this endpoint to submit a token from a FedCM provider through + `navigator.credentials.get` and log the user in. The parameters from + `navigator.credentials.get` must have come from `GET + self-service/fed-cm/parameters`. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiSubmitFedcmTokenRequest + */ + SubmitFedcmToken(ctx context.Context) FrontendAPIApiSubmitFedcmTokenRequest + + /* + * SubmitFedcmTokenExecute executes the request + * @return SuccessfulNativeLogin + */ + SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcmTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) + /* * ToSession Check Who the Current HTTP Session Belongs To * Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated. @@ -3104,6 +3135,124 @@ func (a *FrontendAPIService) ExchangeSessionTokenExecute(r FrontendAPIApiExchang return localVarReturnValue, localVarHTTPResponse, nil } +type FrontendAPIApiGetFedcmParametersRequest struct { + ctx context.Context + ApiService FrontendAPI +} + +func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetParametersResponse, *http.Response, error) { + return r.ApiService.GetFedcmParametersExecute(r) +} + +/* + * GetFedcmParameters Get FedCM Parameters + * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiGetFedcmParametersRequest + */ +func (a *FrontendAPIService) GetFedcmParameters(ctx context.Context) FrontendAPIApiGetFedcmParametersRequest { + return FrontendAPIApiGetFedcmParametersRequest{ + ApiService: a, + ctx: ctx, + } +} + +/* + * Execute executes the request + * @return GetParametersResponse + */ +func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) { + var ( + localVarHTTPMethod = http.MethodGet + localVarPostBody interface{} + localVarFormFileName string + localVarFileName string + localVarFileBytes []byte + localVarReturnValue *GetParametersResponse + ) + + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.GetFedcmParameters") + if err != nil { + return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} + } + + localVarPath := localBasePath + "/self-service/fed-cm/parameters" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := url.Values{} + localVarFormParams := url.Values{} + + // to determine the Content-Type header + localVarHTTPContentTypes := []string{} + + // set Content-Type header + localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) + if localVarHTTPContentType != "" { + localVarHeaderParams["Content-Type"] = localVarHTTPContentType + } + + // to determine the Accept header + localVarHTTPHeaderAccepts := []string{"application/json"} + + // set Accept header + localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts) + if localVarHTTPHeaderAccept != "" { + localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept + } + req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.client.callAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024)) + localVarHTTPResponse.Body.Close() + localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody)) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 400 { + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + type FrontendAPIApiGetFlowErrorRequest struct { ctx context.Context ApiService FrontendAPI @@ -4539,6 +4688,159 @@ func (a *FrontendAPIService) PerformNativeLogoutExecute(r FrontendAPIApiPerformN return localVarHTTPResponse, nil } +type FrontendAPIApiSubmitFedcmTokenRequest struct { + ctx context.Context + ApiService FrontendAPI + submitFedcmTokenBody *SubmitFedcmTokenBody +} + +func (r FrontendAPIApiSubmitFedcmTokenRequest) SubmitFedcmTokenBody(submitFedcmTokenBody SubmitFedcmTokenBody) FrontendAPIApiSubmitFedcmTokenRequest { + r.submitFedcmTokenBody = &submitFedcmTokenBody + return r +} + +func (r FrontendAPIApiSubmitFedcmTokenRequest) Execute() (*SuccessfulNativeLogin, *http.Response, error) { + return r.ApiService.SubmitFedcmTokenExecute(r) +} + +/* + - SubmitFedcmToken Submit a FedCM token + - Use this endpoint to submit a token from a FedCM provider through + +`navigator.credentials.get` and log the user in. The parameters from +`navigator.credentials.get` must have come from `GET +self-service/fed-cm/parameters`. + - @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + - @return FrontendAPIApiSubmitFedcmTokenRequest +*/ +func (a *FrontendAPIService) SubmitFedcmToken(ctx context.Context) FrontendAPIApiSubmitFedcmTokenRequest { + return FrontendAPIApiSubmitFedcmTokenRequest{ + ApiService: a, + ctx: ctx, + } +} + +/* + * Execute executes the request + * @return SuccessfulNativeLogin + */ +func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcmTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) { + var ( + localVarHTTPMethod = http.MethodPost + localVarPostBody interface{} + localVarFormFileName string + localVarFileName string + localVarFileBytes []byte + localVarReturnValue *SuccessfulNativeLogin + ) + + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.SubmitFedcmToken") + if err != nil { + return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} + } + + localVarPath := localBasePath + "/self-service/fed-cm/token" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := url.Values{} + localVarFormParams := url.Values{} + if r.submitFedcmTokenBody == nil { + return localVarReturnValue, nil, reportError("submitFedcmTokenBody is required and must be specified") + } + + // to determine the Content-Type header + localVarHTTPContentTypes := []string{"application/json", "application/x-www-form-urlencoded"} + + // set Content-Type header + localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) + if localVarHTTPContentType != "" { + localVarHeaderParams["Content-Type"] = localVarHTTPContentType + } + + // to determine the Accept header + localVarHTTPHeaderAccepts := []string{"application/json"} + + // set Accept header + localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts) + if localVarHTTPHeaderAccept != "" { + localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept + } + // body params + localVarPostBody = r.submitFedcmTokenBody + req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.client.callAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024)) + localVarHTTPResponse.Body.Close() + localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody)) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 400 { + var v LoginFlow + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + if localVarHTTPResponse.StatusCode == 410 { + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + if localVarHTTPResponse.StatusCode == 422 { + var v ErrorBrowserLocationChangeRequired + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + type FrontendAPIApiToSessionRequest struct { ctx context.Context ApiService FrontendAPI diff --git a/internal/client-go/go.sum b/internal/client-go/go.sum index c966c8ddfd0d..734252e68153 100644 --- a/internal/client-go/go.sum +++ b/internal/client-go/go.sum @@ -4,6 +4,8 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/internal/client-go/model_get_parameters_response.go b/internal/client-go/model_get_parameters_response.go new file mode 100644 index 000000000000..17616c790407 --- /dev/null +++ b/internal/client-go/model_get_parameters_response.go @@ -0,0 +1,150 @@ +/* + * Ory Identities API + * + * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. + * + * API version: + * Contact: office@ory.sh + */ + +// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT. + +package client + +import ( + "encoding/json" +) + +// GetParametersResponse Contains a list of all available FedCM providers. +type GetParametersResponse struct { + CsrfToken *string `json:"csrf_token,omitempty"` + Providers []Provider `json:"providers,omitempty"` +} + +// NewGetParametersResponse instantiates a new GetParametersResponse object +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed +func NewGetParametersResponse() *GetParametersResponse { + this := GetParametersResponse{} + return &this +} + +// NewGetParametersResponseWithDefaults instantiates a new GetParametersResponse object +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set +func NewGetParametersResponseWithDefaults() *GetParametersResponse { + this := GetParametersResponse{} + return &this +} + +// GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. +func (o *GetParametersResponse) GetCsrfToken() string { + if o == nil || o.CsrfToken == nil { + var ret string + return ret + } + return *o.CsrfToken +} + +// GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *GetParametersResponse) GetCsrfTokenOk() (*string, bool) { + if o == nil || o.CsrfToken == nil { + return nil, false + } + return o.CsrfToken, true +} + +// HasCsrfToken returns a boolean if a field has been set. +func (o *GetParametersResponse) HasCsrfToken() bool { + if o != nil && o.CsrfToken != nil { + return true + } + + return false +} + +// SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. +func (o *GetParametersResponse) SetCsrfToken(v string) { + o.CsrfToken = &v +} + +// GetProviders returns the Providers field value if set, zero value otherwise. +func (o *GetParametersResponse) GetProviders() []Provider { + if o == nil || o.Providers == nil { + var ret []Provider + return ret + } + return o.Providers +} + +// GetProvidersOk returns a tuple with the Providers field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *GetParametersResponse) GetProvidersOk() ([]Provider, bool) { + if o == nil || o.Providers == nil { + return nil, false + } + return o.Providers, true +} + +// HasProviders returns a boolean if a field has been set. +func (o *GetParametersResponse) HasProviders() bool { + if o != nil && o.Providers != nil { + return true + } + + return false +} + +// SetProviders gets a reference to the given []Provider and assigns it to the Providers field. +func (o *GetParametersResponse) SetProviders(v []Provider) { + o.Providers = v +} + +func (o GetParametersResponse) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.CsrfToken != nil { + toSerialize["csrf_token"] = o.CsrfToken + } + if o.Providers != nil { + toSerialize["providers"] = o.Providers + } + return json.Marshal(toSerialize) +} + +type NullableGetParametersResponse struct { + value *GetParametersResponse + isSet bool +} + +func (v NullableGetParametersResponse) Get() *GetParametersResponse { + return v.value +} + +func (v *NullableGetParametersResponse) Set(val *GetParametersResponse) { + v.value = val + v.isSet = true +} + +func (v NullableGetParametersResponse) IsSet() bool { + return v.isSet +} + +func (v *NullableGetParametersResponse) Unset() { + v.value = nil + v.isSet = false +} + +func NewNullableGetParametersResponse(val *GetParametersResponse) *NullableGetParametersResponse { + return &NullableGetParametersResponse{value: val, isSet: true} +} + +func (v NullableGetParametersResponse) MarshalJSON() ([]byte, error) { + return json.Marshal(v.value) +} + +func (v *NullableGetParametersResponse) UnmarshalJSON(src []byte) error { + v.isSet = true + return json.Unmarshal(src, &v.value) +} diff --git a/internal/client-go/model_provider.go b/internal/client-go/model_provider.go new file mode 100644 index 000000000000..2c9a79590e0e --- /dev/null +++ b/internal/client-go/model_provider.go @@ -0,0 +1,337 @@ +/* + * Ory Identities API + * + * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. + * + * API version: + * Contact: office@ory.sh + */ + +// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT. + +package client + +import ( + "encoding/json" +) + +// Provider struct for Provider +type Provider struct { + // The RP's client identifier, issued by the IdP. + ClientId *string `json:"client_id,omitempty"` + // A full path of the IdP config file. + ConfigUrl *string `json:"config_url,omitempty"` + // By specifying one of domain_hints values provided by the accounts endpoints, the FedCM dialog selectively shows the specified account. + DomainHint *string `json:"domain_hint,omitempty"` + // Array of strings that specifies the user information (\"name\", \" email\", \"picture\") that RP needs IdP to share with them. Note: Field API is supported by Chrome 132 and later. + Fields []string `json:"fields,omitempty"` + // By specifying one of login_hints values provided by the accounts endpoints, the FedCM dialog selectively shows the specified account. + LoginHint *string `json:"login_hint,omitempty"` + // A random string to ensure the response is issued for this specific request. Prevents replay attacks. + Nonce *string `json:"nonce,omitempty"` + // Custom object that allows to specify additional key-value parameters: scope: A string value containing additional permissions that RP needs to request, for example \" drive.readonly calendar.readonly\" nonce: A random string to ensure the response is issued for this specific request. Prevents replay attacks. Other custom key-value parameters. Note: parameters is supported from Chrome 132. + Parameters *map[string]string `json:"parameters,omitempty"` +} + +// NewProvider instantiates a new Provider object +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed +func NewProvider() *Provider { + this := Provider{} + return &this +} + +// NewProviderWithDefaults instantiates a new Provider object +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set +func NewProviderWithDefaults() *Provider { + this := Provider{} + return &this +} + +// GetClientId returns the ClientId field value if set, zero value otherwise. +func (o *Provider) GetClientId() string { + if o == nil || o.ClientId == nil { + var ret string + return ret + } + return *o.ClientId +} + +// GetClientIdOk returns a tuple with the ClientId field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetClientIdOk() (*string, bool) { + if o == nil || o.ClientId == nil { + return nil, false + } + return o.ClientId, true +} + +// HasClientId returns a boolean if a field has been set. +func (o *Provider) HasClientId() bool { + if o != nil && o.ClientId != nil { + return true + } + + return false +} + +// SetClientId gets a reference to the given string and assigns it to the ClientId field. +func (o *Provider) SetClientId(v string) { + o.ClientId = &v +} + +// GetConfigUrl returns the ConfigUrl field value if set, zero value otherwise. +func (o *Provider) GetConfigUrl() string { + if o == nil || o.ConfigUrl == nil { + var ret string + return ret + } + return *o.ConfigUrl +} + +// GetConfigUrlOk returns a tuple with the ConfigUrl field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetConfigUrlOk() (*string, bool) { + if o == nil || o.ConfigUrl == nil { + return nil, false + } + return o.ConfigUrl, true +} + +// HasConfigUrl returns a boolean if a field has been set. +func (o *Provider) HasConfigUrl() bool { + if o != nil && o.ConfigUrl != nil { + return true + } + + return false +} + +// SetConfigUrl gets a reference to the given string and assigns it to the ConfigUrl field. +func (o *Provider) SetConfigUrl(v string) { + o.ConfigUrl = &v +} + +// GetDomainHint returns the DomainHint field value if set, zero value otherwise. +func (o *Provider) GetDomainHint() string { + if o == nil || o.DomainHint == nil { + var ret string + return ret + } + return *o.DomainHint +} + +// GetDomainHintOk returns a tuple with the DomainHint field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetDomainHintOk() (*string, bool) { + if o == nil || o.DomainHint == nil { + return nil, false + } + return o.DomainHint, true +} + +// HasDomainHint returns a boolean if a field has been set. +func (o *Provider) HasDomainHint() bool { + if o != nil && o.DomainHint != nil { + return true + } + + return false +} + +// SetDomainHint gets a reference to the given string and assigns it to the DomainHint field. +func (o *Provider) SetDomainHint(v string) { + o.DomainHint = &v +} + +// GetFields returns the Fields field value if set, zero value otherwise. +func (o *Provider) GetFields() []string { + if o == nil || o.Fields == nil { + var ret []string + return ret + } + return o.Fields +} + +// GetFieldsOk returns a tuple with the Fields field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetFieldsOk() ([]string, bool) { + if o == nil || o.Fields == nil { + return nil, false + } + return o.Fields, true +} + +// HasFields returns a boolean if a field has been set. +func (o *Provider) HasFields() bool { + if o != nil && o.Fields != nil { + return true + } + + return false +} + +// SetFields gets a reference to the given []string and assigns it to the Fields field. +func (o *Provider) SetFields(v []string) { + o.Fields = v +} + +// GetLoginHint returns the LoginHint field value if set, zero value otherwise. +func (o *Provider) GetLoginHint() string { + if o == nil || o.LoginHint == nil { + var ret string + return ret + } + return *o.LoginHint +} + +// GetLoginHintOk returns a tuple with the LoginHint field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetLoginHintOk() (*string, bool) { + if o == nil || o.LoginHint == nil { + return nil, false + } + return o.LoginHint, true +} + +// HasLoginHint returns a boolean if a field has been set. +func (o *Provider) HasLoginHint() bool { + if o != nil && o.LoginHint != nil { + return true + } + + return false +} + +// SetLoginHint gets a reference to the given string and assigns it to the LoginHint field. +func (o *Provider) SetLoginHint(v string) { + o.LoginHint = &v +} + +// GetNonce returns the Nonce field value if set, zero value otherwise. +func (o *Provider) GetNonce() string { + if o == nil || o.Nonce == nil { + var ret string + return ret + } + return *o.Nonce +} + +// GetNonceOk returns a tuple with the Nonce field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetNonceOk() (*string, bool) { + if o == nil || o.Nonce == nil { + return nil, false + } + return o.Nonce, true +} + +// HasNonce returns a boolean if a field has been set. +func (o *Provider) HasNonce() bool { + if o != nil && o.Nonce != nil { + return true + } + + return false +} + +// SetNonce gets a reference to the given string and assigns it to the Nonce field. +func (o *Provider) SetNonce(v string) { + o.Nonce = &v +} + +// GetParameters returns the Parameters field value if set, zero value otherwise. +func (o *Provider) GetParameters() map[string]string { + if o == nil || o.Parameters == nil { + var ret map[string]string + return ret + } + return *o.Parameters +} + +// GetParametersOk returns a tuple with the Parameters field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetParametersOk() (*map[string]string, bool) { + if o == nil || o.Parameters == nil { + return nil, false + } + return o.Parameters, true +} + +// HasParameters returns a boolean if a field has been set. +func (o *Provider) HasParameters() bool { + if o != nil && o.Parameters != nil { + return true + } + + return false +} + +// SetParameters gets a reference to the given map[string]string and assigns it to the Parameters field. +func (o *Provider) SetParameters(v map[string]string) { + o.Parameters = &v +} + +func (o Provider) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.ClientId != nil { + toSerialize["client_id"] = o.ClientId + } + if o.ConfigUrl != nil { + toSerialize["config_url"] = o.ConfigUrl + } + if o.DomainHint != nil { + toSerialize["domain_hint"] = o.DomainHint + } + if o.Fields != nil { + toSerialize["fields"] = o.Fields + } + if o.LoginHint != nil { + toSerialize["login_hint"] = o.LoginHint + } + if o.Nonce != nil { + toSerialize["nonce"] = o.Nonce + } + if o.Parameters != nil { + toSerialize["parameters"] = o.Parameters + } + return json.Marshal(toSerialize) +} + +type NullableProvider struct { + value *Provider + isSet bool +} + +func (v NullableProvider) Get() *Provider { + return v.value +} + +func (v *NullableProvider) Set(val *Provider) { + v.value = val + v.isSet = true +} + +func (v NullableProvider) IsSet() bool { + return v.isSet +} + +func (v *NullableProvider) Unset() { + v.value = nil + v.isSet = false +} + +func NewNullableProvider(val *Provider) *NullableProvider { + return &NullableProvider{value: val, isSet: true} +} + +func (v NullableProvider) MarshalJSON() ([]byte, error) { + return json.Marshal(v.value) +} + +func (v *NullableProvider) UnmarshalJSON(src []byte) error { + v.isSet = true + return json.Unmarshal(src, &v.value) +} diff --git a/internal/client-go/model_submit_fedcm_token_body.go b/internal/client-go/model_submit_fedcm_token_body.go new file mode 100644 index 000000000000..8b2fbc54c70f --- /dev/null +++ b/internal/client-go/model_submit_fedcm_token_body.go @@ -0,0 +1,114 @@ +/* + * Ory Identities API + * + * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. + * + * API version: + * Contact: office@ory.sh + */ + +// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT. + +package client + +import ( + "encoding/json" +) + +// SubmitFedcmTokenBody struct for SubmitFedcmTokenBody +type SubmitFedcmTokenBody struct { + Token *string `json:"token,omitempty"` +} + +// NewSubmitFedcmTokenBody instantiates a new SubmitFedcmTokenBody object +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed +func NewSubmitFedcmTokenBody() *SubmitFedcmTokenBody { + this := SubmitFedcmTokenBody{} + return &this +} + +// NewSubmitFedcmTokenBodyWithDefaults instantiates a new SubmitFedcmTokenBody object +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set +func NewSubmitFedcmTokenBodyWithDefaults() *SubmitFedcmTokenBody { + this := SubmitFedcmTokenBody{} + return &this +} + +// GetToken returns the Token field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetToken() string { + if o == nil || o.Token == nil { + var ret string + return ret + } + return *o.Token +} + +// GetTokenOk returns a tuple with the Token field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetTokenOk() (*string, bool) { + if o == nil || o.Token == nil { + return nil, false + } + return o.Token, true +} + +// HasToken returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasToken() bool { + if o != nil && o.Token != nil { + return true + } + + return false +} + +// SetToken gets a reference to the given string and assigns it to the Token field. +func (o *SubmitFedcmTokenBody) SetToken(v string) { + o.Token = &v +} + +func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.Token != nil { + toSerialize["token"] = o.Token + } + return json.Marshal(toSerialize) +} + +type NullableSubmitFedcmTokenBody struct { + value *SubmitFedcmTokenBody + isSet bool +} + +func (v NullableSubmitFedcmTokenBody) Get() *SubmitFedcmTokenBody { + return v.value +} + +func (v *NullableSubmitFedcmTokenBody) Set(val *SubmitFedcmTokenBody) { + v.value = val + v.isSet = true +} + +func (v NullableSubmitFedcmTokenBody) IsSet() bool { + return v.isSet +} + +func (v *NullableSubmitFedcmTokenBody) Unset() { + v.value = nil + v.isSet = false +} + +func NewNullableSubmitFedcmTokenBody(val *SubmitFedcmTokenBody) *NullableSubmitFedcmTokenBody { + return &NullableSubmitFedcmTokenBody{value: val, isSet: true} +} + +func (v NullableSubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { + return json.Marshal(v.value) +} + +func (v *NullableSubmitFedcmTokenBody) UnmarshalJSON(src []byte) error { + v.isSet = true + return json.Unmarshal(src, &v.value) +} diff --git a/internal/client-go/model_update_login_flow_with_oidc_method.go b/internal/client-go/model_update_login_flow_with_oidc_method.go index cdd5c665bdc5..c7ebbec5e248 100644 --- a/internal/client-go/model_update_login_flow_with_oidc_method.go +++ b/internal/client-go/model_update_login_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateLoginFlowWithOidcMethod Update Login Flow with OpenID Connect Method type UpdateLoginFlowWithOidcMethod struct { + // The Provider to register with + Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` - // The provider to register with - Provider string `json:"provider"` // The identity traits. This is a placeholder for the registration flow. Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateLoginFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateLoginFlowWithOidcMethod(method string, provider string) *UpdateLoginFlowWithOidcMethod { +func NewUpdateLoginFlowWithOidcMethod(provider string, method string) *UpdateLoginFlowWithOidcMethod { this := UpdateLoginFlowWithOidcMethod{} - this.Method = method this.Provider = provider + this.Method = method return &this } @@ -54,6 +54,30 @@ func NewUpdateLoginFlowWithOidcMethodWithDefaults() *UpdateLoginFlowWithOidcMeth return &this } +// GetProvider returns the Provider field value +func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -174,30 +198,6 @@ func (o *UpdateLoginFlowWithOidcMethod) SetMethod(v string) { o.Method = v } -// GetProvider returns the Provider field value -func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,6 +296,9 @@ func (o *UpdateLoginFlowWithOidcMethod) SetUpstreamParameters(v map[string]inter func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} + if true { + toSerialize["Provider"] = o.Provider + } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -308,9 +311,6 @@ func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } - if true { - toSerialize["provider"] = o.Provider - } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/client-go/model_update_registration_flow_with_oidc_method.go b/internal/client-go/model_update_registration_flow_with_oidc_method.go index 2ee32605fee6..d96f8bb21777 100644 --- a/internal/client-go/model_update_registration_flow_with_oidc_method.go +++ b/internal/client-go/model_update_registration_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateRegistrationFlowWithOidcMethod Update Registration Flow with OpenID Connect Method type UpdateRegistrationFlowWithOidcMethod struct { + // The Provider to register with + Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and is required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and is required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` - // The provider to register with - Provider string `json:"provider"` // The identity traits Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateRegistrationFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateRegistrationFlowWithOidcMethod(method string, provider string) *UpdateRegistrationFlowWithOidcMethod { +func NewUpdateRegistrationFlowWithOidcMethod(provider string, method string) *UpdateRegistrationFlowWithOidcMethod { this := UpdateRegistrationFlowWithOidcMethod{} - this.Method = method this.Provider = provider + this.Method = method return &this } @@ -54,6 +54,30 @@ func NewUpdateRegistrationFlowWithOidcMethodWithDefaults() *UpdateRegistrationFl return &this } +// GetProvider returns the Provider field value +func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -174,30 +198,6 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetMethod(v string) { o.Method = v } -// GetProvider returns the Provider field value -func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,6 +296,9 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetUpstreamParameters(v map[strin func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} + if true { + toSerialize["Provider"] = o.Provider + } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -308,9 +311,6 @@ func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } - if true { - toSerialize["provider"] = o.Provider - } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/client-go/model_update_settings_flow_with_oidc_method.go b/internal/client-go/model_update_settings_flow_with_oidc_method.go index c54a0d1251f3..6a1650c5c317 100644 --- a/internal/client-go/model_update_settings_flow_with_oidc_method.go +++ b/internal/client-go/model_update_settings_flow_with_oidc_method.go @@ -19,7 +19,7 @@ import ( type UpdateSettingsFlowWithOidcMethod struct { // Flow ID is the flow's ID. in: query Flow *string `json:"flow,omitempty"` - // Link this provider Either this or `unlink` must be set. type: string in: body + // Link this Provider Either this or `unlink` must be set. type: string in: body Link *string `json:"link,omitempty"` // Method Should be set to profile when trying to update a profile. Method string `json:"method"` @@ -27,9 +27,9 @@ type UpdateSettingsFlowWithOidcMethod struct { Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // Unlink this provider Either this or `link` must be set. type: string in: body + // Unlink this Provider Either this or `link` must be set. type: string in: body Unlink *string `json:"unlink,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } diff --git a/internal/httpclient/.openapi-generator/FILES b/internal/httpclient/.openapi-generator/FILES index 118cf9b06463..eef4b6b4dfe9 100644 --- a/internal/httpclient/.openapi-generator/FILES +++ b/internal/httpclient/.openapi-generator/FILES @@ -35,6 +35,7 @@ docs/ErrorGeneric.md docs/FlowError.md docs/FrontendAPI.md docs/GenericError.md +docs/GetParametersResponse.md docs/GetVersion200Response.md docs/HealthNotReadyStatus.md docs/HealthStatus.md @@ -70,6 +71,7 @@ docs/OAuth2ConsentRequestOpenIDConnectContext.md docs/OAuth2LoginRequest.md docs/PatchIdentitiesBody.md docs/PerformNativeLogoutBody.md +docs/Provider.md docs/RecoveryCodeForIdentity.md docs/RecoveryFlow.md docs/RecoveryFlowState.md @@ -83,6 +85,7 @@ docs/SessionAuthenticationMethod.md docs/SessionDevice.md docs/SettingsFlow.md docs/SettingsFlowState.md +docs/SubmitFedcmTokenBody.md docs/SuccessfulCodeExchangeResponse.md docs/SuccessfulNativeLogin.md docs/SuccessfulNativeRegistration.md @@ -160,6 +163,7 @@ model_error_flow_replaced.go model_error_generic.go model_flow_error.go model_generic_error.go +model_get_parameters_response.go model_get_version_200_response.go model_health_not_ready_status.go model_health_status.go @@ -193,6 +197,7 @@ model_o_auth2_consent_request_open_id_connect_context.go model_o_auth2_login_request.go model_patch_identities_body.go model_perform_native_logout_body.go +model_provider.go model_recovery_code_for_identity.go model_recovery_flow.go model_recovery_flow_state.go @@ -206,6 +211,7 @@ model_session_authentication_method.go model_session_device.go model_settings_flow.go model_settings_flow_state.go +model_submit_fedcm_token_body.go model_successful_code_exchange_response.go model_successful_native_login.go model_successful_native_registration.go diff --git a/internal/httpclient/README.md b/internal/httpclient/README.md index 97593523117a..76576250b664 100644 --- a/internal/httpclient/README.md +++ b/internal/httpclient/README.md @@ -95,6 +95,7 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**DisableMyOtherSessions**](docs/FrontendAPI.md#disablemyothersessions) | **Delete** /sessions | Disable my other sessions *FrontendAPI* | [**DisableMySession**](docs/FrontendAPI.md#disablemysession) | **Delete** /sessions/{id} | Disable one of my sessions *FrontendAPI* | [**ExchangeSessionToken**](docs/FrontendAPI.md#exchangesessiontoken) | **Get** /sessions/token-exchange | Exchange Session Token +*FrontendAPI* | [**GetFedcmParameters**](docs/FrontendAPI.md#getfedcmparameters) | **Get** /self-service/fed-cm/parameters | Get FedCM Parameters *FrontendAPI* | [**GetFlowError**](docs/FrontendAPI.md#getflowerror) | **Get** /self-service/errors | Get User-Flow Errors *FrontendAPI* | [**GetLoginFlow**](docs/FrontendAPI.md#getloginflow) | **Get** /self-service/login/flows | Get Login Flow *FrontendAPI* | [**GetRecoveryFlow**](docs/FrontendAPI.md#getrecoveryflow) | **Get** /self-service/recovery/flows | Get Recovery Flow @@ -104,6 +105,7 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**GetWebAuthnJavaScript**](docs/FrontendAPI.md#getwebauthnjavascript) | **Get** /.well-known/ory/webauthn.js | Get WebAuthn JavaScript *FrontendAPI* | [**ListMySessions**](docs/FrontendAPI.md#listmysessions) | **Get** /sessions | Get My Active Sessions *FrontendAPI* | [**PerformNativeLogout**](docs/FrontendAPI.md#performnativelogout) | **Delete** /self-service/logout/api | Perform Logout for Native Apps +*FrontendAPI* | [**SubmitFedcmToken**](docs/FrontendAPI.md#submitfedcmtoken) | **Post** /self-service/fed-cm/token | Submit a FedCM token *FrontendAPI* | [**ToSession**](docs/FrontendAPI.md#tosession) | **Get** /sessions/whoami | Check Who the Current HTTP Session Belongs To *FrontendAPI* | [**UpdateLoginFlow**](docs/FrontendAPI.md#updateloginflow) | **Post** /self-service/login | Submit a Login Flow *FrontendAPI* | [**UpdateLogoutFlow**](docs/FrontendAPI.md#updatelogoutflow) | **Get** /self-service/logout | Update Logout Flow @@ -160,6 +162,7 @@ Class | Method | HTTP request | Description - [ErrorGeneric](docs/ErrorGeneric.md) - [FlowError](docs/FlowError.md) - [GenericError](docs/GenericError.md) + - [GetParametersResponse](docs/GetParametersResponse.md) - [GetVersion200Response](docs/GetVersion200Response.md) - [HealthNotReadyStatus](docs/HealthNotReadyStatus.md) - [HealthStatus](docs/HealthStatus.md) @@ -193,6 +196,7 @@ Class | Method | HTTP request | Description - [OAuth2LoginRequest](docs/OAuth2LoginRequest.md) - [PatchIdentitiesBody](docs/PatchIdentitiesBody.md) - [PerformNativeLogoutBody](docs/PerformNativeLogoutBody.md) + - [Provider](docs/Provider.md) - [RecoveryCodeForIdentity](docs/RecoveryCodeForIdentity.md) - [RecoveryFlow](docs/RecoveryFlow.md) - [RecoveryFlowState](docs/RecoveryFlowState.md) @@ -206,6 +210,7 @@ Class | Method | HTTP request | Description - [SessionDevice](docs/SessionDevice.md) - [SettingsFlow](docs/SettingsFlow.md) - [SettingsFlowState](docs/SettingsFlowState.md) + - [SubmitFedcmTokenBody](docs/SubmitFedcmTokenBody.md) - [SuccessfulCodeExchangeResponse](docs/SuccessfulCodeExchangeResponse.md) - [SuccessfulNativeLogin](docs/SuccessfulNativeLogin.md) - [SuccessfulNativeRegistration](docs/SuccessfulNativeRegistration.md) diff --git a/internal/httpclient/api_frontend.go b/internal/httpclient/api_frontend.go index 97266e9c4c94..2faad9a5bd32 100644 --- a/internal/httpclient/api_frontend.go +++ b/internal/httpclient/api_frontend.go @@ -394,6 +394,20 @@ type FrontendAPI interface { */ ExchangeSessionTokenExecute(r FrontendAPIApiExchangeSessionTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) + /* + * GetFedcmParameters Get FedCM Parameters + * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiGetFedcmParametersRequest + */ + GetFedcmParameters(ctx context.Context) FrontendAPIApiGetFedcmParametersRequest + + /* + * GetFedcmParametersExecute executes the request + * @return GetParametersResponse + */ + GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) + /* * GetFlowError Get User-Flow Errors * This endpoint returns the error associated with a user-facing self service errors. @@ -637,6 +651,23 @@ type FrontendAPI interface { */ PerformNativeLogoutExecute(r FrontendAPIApiPerformNativeLogoutRequest) (*http.Response, error) + /* + * SubmitFedcmToken Submit a FedCM token + * Use this endpoint to submit a token from a FedCM provider through + `navigator.credentials.get` and log the user in. The parameters from + `navigator.credentials.get` must have come from `GET + self-service/fed-cm/parameters`. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiSubmitFedcmTokenRequest + */ + SubmitFedcmToken(ctx context.Context) FrontendAPIApiSubmitFedcmTokenRequest + + /* + * SubmitFedcmTokenExecute executes the request + * @return SuccessfulNativeLogin + */ + SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcmTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) + /* * ToSession Check Who the Current HTTP Session Belongs To * Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated. @@ -3104,6 +3135,124 @@ func (a *FrontendAPIService) ExchangeSessionTokenExecute(r FrontendAPIApiExchang return localVarReturnValue, localVarHTTPResponse, nil } +type FrontendAPIApiGetFedcmParametersRequest struct { + ctx context.Context + ApiService FrontendAPI +} + +func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetParametersResponse, *http.Response, error) { + return r.ApiService.GetFedcmParametersExecute(r) +} + +/* + * GetFedcmParameters Get FedCM Parameters + * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiGetFedcmParametersRequest + */ +func (a *FrontendAPIService) GetFedcmParameters(ctx context.Context) FrontendAPIApiGetFedcmParametersRequest { + return FrontendAPIApiGetFedcmParametersRequest{ + ApiService: a, + ctx: ctx, + } +} + +/* + * Execute executes the request + * @return GetParametersResponse + */ +func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) { + var ( + localVarHTTPMethod = http.MethodGet + localVarPostBody interface{} + localVarFormFileName string + localVarFileName string + localVarFileBytes []byte + localVarReturnValue *GetParametersResponse + ) + + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.GetFedcmParameters") + if err != nil { + return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} + } + + localVarPath := localBasePath + "/self-service/fed-cm/parameters" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := url.Values{} + localVarFormParams := url.Values{} + + // to determine the Content-Type header + localVarHTTPContentTypes := []string{} + + // set Content-Type header + localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) + if localVarHTTPContentType != "" { + localVarHeaderParams["Content-Type"] = localVarHTTPContentType + } + + // to determine the Accept header + localVarHTTPHeaderAccepts := []string{"application/json"} + + // set Accept header + localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts) + if localVarHTTPHeaderAccept != "" { + localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept + } + req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.client.callAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024)) + localVarHTTPResponse.Body.Close() + localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody)) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 400 { + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + type FrontendAPIApiGetFlowErrorRequest struct { ctx context.Context ApiService FrontendAPI @@ -4539,6 +4688,159 @@ func (a *FrontendAPIService) PerformNativeLogoutExecute(r FrontendAPIApiPerformN return localVarHTTPResponse, nil } +type FrontendAPIApiSubmitFedcmTokenRequest struct { + ctx context.Context + ApiService FrontendAPI + submitFedcmTokenBody *SubmitFedcmTokenBody +} + +func (r FrontendAPIApiSubmitFedcmTokenRequest) SubmitFedcmTokenBody(submitFedcmTokenBody SubmitFedcmTokenBody) FrontendAPIApiSubmitFedcmTokenRequest { + r.submitFedcmTokenBody = &submitFedcmTokenBody + return r +} + +func (r FrontendAPIApiSubmitFedcmTokenRequest) Execute() (*SuccessfulNativeLogin, *http.Response, error) { + return r.ApiService.SubmitFedcmTokenExecute(r) +} + +/* + - SubmitFedcmToken Submit a FedCM token + - Use this endpoint to submit a token from a FedCM provider through + +`navigator.credentials.get` and log the user in. The parameters from +`navigator.credentials.get` must have come from `GET +self-service/fed-cm/parameters`. + - @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + - @return FrontendAPIApiSubmitFedcmTokenRequest +*/ +func (a *FrontendAPIService) SubmitFedcmToken(ctx context.Context) FrontendAPIApiSubmitFedcmTokenRequest { + return FrontendAPIApiSubmitFedcmTokenRequest{ + ApiService: a, + ctx: ctx, + } +} + +/* + * Execute executes the request + * @return SuccessfulNativeLogin + */ +func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcmTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) { + var ( + localVarHTTPMethod = http.MethodPost + localVarPostBody interface{} + localVarFormFileName string + localVarFileName string + localVarFileBytes []byte + localVarReturnValue *SuccessfulNativeLogin + ) + + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.SubmitFedcmToken") + if err != nil { + return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} + } + + localVarPath := localBasePath + "/self-service/fed-cm/token" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := url.Values{} + localVarFormParams := url.Values{} + if r.submitFedcmTokenBody == nil { + return localVarReturnValue, nil, reportError("submitFedcmTokenBody is required and must be specified") + } + + // to determine the Content-Type header + localVarHTTPContentTypes := []string{"application/json", "application/x-www-form-urlencoded"} + + // set Content-Type header + localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) + if localVarHTTPContentType != "" { + localVarHeaderParams["Content-Type"] = localVarHTTPContentType + } + + // to determine the Accept header + localVarHTTPHeaderAccepts := []string{"application/json"} + + // set Accept header + localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts) + if localVarHTTPHeaderAccept != "" { + localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept + } + // body params + localVarPostBody = r.submitFedcmTokenBody + req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.client.callAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024)) + localVarHTTPResponse.Body.Close() + localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody)) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 400 { + var v LoginFlow + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + if localVarHTTPResponse.StatusCode == 410 { + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + if localVarHTTPResponse.StatusCode == 422 { + var v ErrorBrowserLocationChangeRequired + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + type FrontendAPIApiToSessionRequest struct { ctx context.Context ApiService FrontendAPI diff --git a/internal/httpclient/model_get_parameters_response.go b/internal/httpclient/model_get_parameters_response.go new file mode 100644 index 000000000000..17616c790407 --- /dev/null +++ b/internal/httpclient/model_get_parameters_response.go @@ -0,0 +1,150 @@ +/* + * Ory Identities API + * + * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. + * + * API version: + * Contact: office@ory.sh + */ + +// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT. + +package client + +import ( + "encoding/json" +) + +// GetParametersResponse Contains a list of all available FedCM providers. +type GetParametersResponse struct { + CsrfToken *string `json:"csrf_token,omitempty"` + Providers []Provider `json:"providers,omitempty"` +} + +// NewGetParametersResponse instantiates a new GetParametersResponse object +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed +func NewGetParametersResponse() *GetParametersResponse { + this := GetParametersResponse{} + return &this +} + +// NewGetParametersResponseWithDefaults instantiates a new GetParametersResponse object +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set +func NewGetParametersResponseWithDefaults() *GetParametersResponse { + this := GetParametersResponse{} + return &this +} + +// GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. +func (o *GetParametersResponse) GetCsrfToken() string { + if o == nil || o.CsrfToken == nil { + var ret string + return ret + } + return *o.CsrfToken +} + +// GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *GetParametersResponse) GetCsrfTokenOk() (*string, bool) { + if o == nil || o.CsrfToken == nil { + return nil, false + } + return o.CsrfToken, true +} + +// HasCsrfToken returns a boolean if a field has been set. +func (o *GetParametersResponse) HasCsrfToken() bool { + if o != nil && o.CsrfToken != nil { + return true + } + + return false +} + +// SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. +func (o *GetParametersResponse) SetCsrfToken(v string) { + o.CsrfToken = &v +} + +// GetProviders returns the Providers field value if set, zero value otherwise. +func (o *GetParametersResponse) GetProviders() []Provider { + if o == nil || o.Providers == nil { + var ret []Provider + return ret + } + return o.Providers +} + +// GetProvidersOk returns a tuple with the Providers field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *GetParametersResponse) GetProvidersOk() ([]Provider, bool) { + if o == nil || o.Providers == nil { + return nil, false + } + return o.Providers, true +} + +// HasProviders returns a boolean if a field has been set. +func (o *GetParametersResponse) HasProviders() bool { + if o != nil && o.Providers != nil { + return true + } + + return false +} + +// SetProviders gets a reference to the given []Provider and assigns it to the Providers field. +func (o *GetParametersResponse) SetProviders(v []Provider) { + o.Providers = v +} + +func (o GetParametersResponse) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.CsrfToken != nil { + toSerialize["csrf_token"] = o.CsrfToken + } + if o.Providers != nil { + toSerialize["providers"] = o.Providers + } + return json.Marshal(toSerialize) +} + +type NullableGetParametersResponse struct { + value *GetParametersResponse + isSet bool +} + +func (v NullableGetParametersResponse) Get() *GetParametersResponse { + return v.value +} + +func (v *NullableGetParametersResponse) Set(val *GetParametersResponse) { + v.value = val + v.isSet = true +} + +func (v NullableGetParametersResponse) IsSet() bool { + return v.isSet +} + +func (v *NullableGetParametersResponse) Unset() { + v.value = nil + v.isSet = false +} + +func NewNullableGetParametersResponse(val *GetParametersResponse) *NullableGetParametersResponse { + return &NullableGetParametersResponse{value: val, isSet: true} +} + +func (v NullableGetParametersResponse) MarshalJSON() ([]byte, error) { + return json.Marshal(v.value) +} + +func (v *NullableGetParametersResponse) UnmarshalJSON(src []byte) error { + v.isSet = true + return json.Unmarshal(src, &v.value) +} diff --git a/internal/httpclient/model_provider.go b/internal/httpclient/model_provider.go new file mode 100644 index 000000000000..2c9a79590e0e --- /dev/null +++ b/internal/httpclient/model_provider.go @@ -0,0 +1,337 @@ +/* + * Ory Identities API + * + * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. + * + * API version: + * Contact: office@ory.sh + */ + +// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT. + +package client + +import ( + "encoding/json" +) + +// Provider struct for Provider +type Provider struct { + // The RP's client identifier, issued by the IdP. + ClientId *string `json:"client_id,omitempty"` + // A full path of the IdP config file. + ConfigUrl *string `json:"config_url,omitempty"` + // By specifying one of domain_hints values provided by the accounts endpoints, the FedCM dialog selectively shows the specified account. + DomainHint *string `json:"domain_hint,omitempty"` + // Array of strings that specifies the user information (\"name\", \" email\", \"picture\") that RP needs IdP to share with them. Note: Field API is supported by Chrome 132 and later. + Fields []string `json:"fields,omitempty"` + // By specifying one of login_hints values provided by the accounts endpoints, the FedCM dialog selectively shows the specified account. + LoginHint *string `json:"login_hint,omitempty"` + // A random string to ensure the response is issued for this specific request. Prevents replay attacks. + Nonce *string `json:"nonce,omitempty"` + // Custom object that allows to specify additional key-value parameters: scope: A string value containing additional permissions that RP needs to request, for example \" drive.readonly calendar.readonly\" nonce: A random string to ensure the response is issued for this specific request. Prevents replay attacks. Other custom key-value parameters. Note: parameters is supported from Chrome 132. + Parameters *map[string]string `json:"parameters,omitempty"` +} + +// NewProvider instantiates a new Provider object +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed +func NewProvider() *Provider { + this := Provider{} + return &this +} + +// NewProviderWithDefaults instantiates a new Provider object +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set +func NewProviderWithDefaults() *Provider { + this := Provider{} + return &this +} + +// GetClientId returns the ClientId field value if set, zero value otherwise. +func (o *Provider) GetClientId() string { + if o == nil || o.ClientId == nil { + var ret string + return ret + } + return *o.ClientId +} + +// GetClientIdOk returns a tuple with the ClientId field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetClientIdOk() (*string, bool) { + if o == nil || o.ClientId == nil { + return nil, false + } + return o.ClientId, true +} + +// HasClientId returns a boolean if a field has been set. +func (o *Provider) HasClientId() bool { + if o != nil && o.ClientId != nil { + return true + } + + return false +} + +// SetClientId gets a reference to the given string and assigns it to the ClientId field. +func (o *Provider) SetClientId(v string) { + o.ClientId = &v +} + +// GetConfigUrl returns the ConfigUrl field value if set, zero value otherwise. +func (o *Provider) GetConfigUrl() string { + if o == nil || o.ConfigUrl == nil { + var ret string + return ret + } + return *o.ConfigUrl +} + +// GetConfigUrlOk returns a tuple with the ConfigUrl field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetConfigUrlOk() (*string, bool) { + if o == nil || o.ConfigUrl == nil { + return nil, false + } + return o.ConfigUrl, true +} + +// HasConfigUrl returns a boolean if a field has been set. +func (o *Provider) HasConfigUrl() bool { + if o != nil && o.ConfigUrl != nil { + return true + } + + return false +} + +// SetConfigUrl gets a reference to the given string and assigns it to the ConfigUrl field. +func (o *Provider) SetConfigUrl(v string) { + o.ConfigUrl = &v +} + +// GetDomainHint returns the DomainHint field value if set, zero value otherwise. +func (o *Provider) GetDomainHint() string { + if o == nil || o.DomainHint == nil { + var ret string + return ret + } + return *o.DomainHint +} + +// GetDomainHintOk returns a tuple with the DomainHint field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetDomainHintOk() (*string, bool) { + if o == nil || o.DomainHint == nil { + return nil, false + } + return o.DomainHint, true +} + +// HasDomainHint returns a boolean if a field has been set. +func (o *Provider) HasDomainHint() bool { + if o != nil && o.DomainHint != nil { + return true + } + + return false +} + +// SetDomainHint gets a reference to the given string and assigns it to the DomainHint field. +func (o *Provider) SetDomainHint(v string) { + o.DomainHint = &v +} + +// GetFields returns the Fields field value if set, zero value otherwise. +func (o *Provider) GetFields() []string { + if o == nil || o.Fields == nil { + var ret []string + return ret + } + return o.Fields +} + +// GetFieldsOk returns a tuple with the Fields field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetFieldsOk() ([]string, bool) { + if o == nil || o.Fields == nil { + return nil, false + } + return o.Fields, true +} + +// HasFields returns a boolean if a field has been set. +func (o *Provider) HasFields() bool { + if o != nil && o.Fields != nil { + return true + } + + return false +} + +// SetFields gets a reference to the given []string and assigns it to the Fields field. +func (o *Provider) SetFields(v []string) { + o.Fields = v +} + +// GetLoginHint returns the LoginHint field value if set, zero value otherwise. +func (o *Provider) GetLoginHint() string { + if o == nil || o.LoginHint == nil { + var ret string + return ret + } + return *o.LoginHint +} + +// GetLoginHintOk returns a tuple with the LoginHint field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetLoginHintOk() (*string, bool) { + if o == nil || o.LoginHint == nil { + return nil, false + } + return o.LoginHint, true +} + +// HasLoginHint returns a boolean if a field has been set. +func (o *Provider) HasLoginHint() bool { + if o != nil && o.LoginHint != nil { + return true + } + + return false +} + +// SetLoginHint gets a reference to the given string and assigns it to the LoginHint field. +func (o *Provider) SetLoginHint(v string) { + o.LoginHint = &v +} + +// GetNonce returns the Nonce field value if set, zero value otherwise. +func (o *Provider) GetNonce() string { + if o == nil || o.Nonce == nil { + var ret string + return ret + } + return *o.Nonce +} + +// GetNonceOk returns a tuple with the Nonce field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetNonceOk() (*string, bool) { + if o == nil || o.Nonce == nil { + return nil, false + } + return o.Nonce, true +} + +// HasNonce returns a boolean if a field has been set. +func (o *Provider) HasNonce() bool { + if o != nil && o.Nonce != nil { + return true + } + + return false +} + +// SetNonce gets a reference to the given string and assigns it to the Nonce field. +func (o *Provider) SetNonce(v string) { + o.Nonce = &v +} + +// GetParameters returns the Parameters field value if set, zero value otherwise. +func (o *Provider) GetParameters() map[string]string { + if o == nil || o.Parameters == nil { + var ret map[string]string + return ret + } + return *o.Parameters +} + +// GetParametersOk returns a tuple with the Parameters field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetParametersOk() (*map[string]string, bool) { + if o == nil || o.Parameters == nil { + return nil, false + } + return o.Parameters, true +} + +// HasParameters returns a boolean if a field has been set. +func (o *Provider) HasParameters() bool { + if o != nil && o.Parameters != nil { + return true + } + + return false +} + +// SetParameters gets a reference to the given map[string]string and assigns it to the Parameters field. +func (o *Provider) SetParameters(v map[string]string) { + o.Parameters = &v +} + +func (o Provider) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.ClientId != nil { + toSerialize["client_id"] = o.ClientId + } + if o.ConfigUrl != nil { + toSerialize["config_url"] = o.ConfigUrl + } + if o.DomainHint != nil { + toSerialize["domain_hint"] = o.DomainHint + } + if o.Fields != nil { + toSerialize["fields"] = o.Fields + } + if o.LoginHint != nil { + toSerialize["login_hint"] = o.LoginHint + } + if o.Nonce != nil { + toSerialize["nonce"] = o.Nonce + } + if o.Parameters != nil { + toSerialize["parameters"] = o.Parameters + } + return json.Marshal(toSerialize) +} + +type NullableProvider struct { + value *Provider + isSet bool +} + +func (v NullableProvider) Get() *Provider { + return v.value +} + +func (v *NullableProvider) Set(val *Provider) { + v.value = val + v.isSet = true +} + +func (v NullableProvider) IsSet() bool { + return v.isSet +} + +func (v *NullableProvider) Unset() { + v.value = nil + v.isSet = false +} + +func NewNullableProvider(val *Provider) *NullableProvider { + return &NullableProvider{value: val, isSet: true} +} + +func (v NullableProvider) MarshalJSON() ([]byte, error) { + return json.Marshal(v.value) +} + +func (v *NullableProvider) UnmarshalJSON(src []byte) error { + v.isSet = true + return json.Unmarshal(src, &v.value) +} diff --git a/internal/httpclient/model_submit_fedcm_token_body.go b/internal/httpclient/model_submit_fedcm_token_body.go new file mode 100644 index 000000000000..8b2fbc54c70f --- /dev/null +++ b/internal/httpclient/model_submit_fedcm_token_body.go @@ -0,0 +1,114 @@ +/* + * Ory Identities API + * + * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. + * + * API version: + * Contact: office@ory.sh + */ + +// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT. + +package client + +import ( + "encoding/json" +) + +// SubmitFedcmTokenBody struct for SubmitFedcmTokenBody +type SubmitFedcmTokenBody struct { + Token *string `json:"token,omitempty"` +} + +// NewSubmitFedcmTokenBody instantiates a new SubmitFedcmTokenBody object +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed +func NewSubmitFedcmTokenBody() *SubmitFedcmTokenBody { + this := SubmitFedcmTokenBody{} + return &this +} + +// NewSubmitFedcmTokenBodyWithDefaults instantiates a new SubmitFedcmTokenBody object +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set +func NewSubmitFedcmTokenBodyWithDefaults() *SubmitFedcmTokenBody { + this := SubmitFedcmTokenBody{} + return &this +} + +// GetToken returns the Token field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetToken() string { + if o == nil || o.Token == nil { + var ret string + return ret + } + return *o.Token +} + +// GetTokenOk returns a tuple with the Token field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetTokenOk() (*string, bool) { + if o == nil || o.Token == nil { + return nil, false + } + return o.Token, true +} + +// HasToken returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasToken() bool { + if o != nil && o.Token != nil { + return true + } + + return false +} + +// SetToken gets a reference to the given string and assigns it to the Token field. +func (o *SubmitFedcmTokenBody) SetToken(v string) { + o.Token = &v +} + +func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.Token != nil { + toSerialize["token"] = o.Token + } + return json.Marshal(toSerialize) +} + +type NullableSubmitFedcmTokenBody struct { + value *SubmitFedcmTokenBody + isSet bool +} + +func (v NullableSubmitFedcmTokenBody) Get() *SubmitFedcmTokenBody { + return v.value +} + +func (v *NullableSubmitFedcmTokenBody) Set(val *SubmitFedcmTokenBody) { + v.value = val + v.isSet = true +} + +func (v NullableSubmitFedcmTokenBody) IsSet() bool { + return v.isSet +} + +func (v *NullableSubmitFedcmTokenBody) Unset() { + v.value = nil + v.isSet = false +} + +func NewNullableSubmitFedcmTokenBody(val *SubmitFedcmTokenBody) *NullableSubmitFedcmTokenBody { + return &NullableSubmitFedcmTokenBody{value: val, isSet: true} +} + +func (v NullableSubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { + return json.Marshal(v.value) +} + +func (v *NullableSubmitFedcmTokenBody) UnmarshalJSON(src []byte) error { + v.isSet = true + return json.Unmarshal(src, &v.value) +} diff --git a/internal/httpclient/model_update_login_flow_with_oidc_method.go b/internal/httpclient/model_update_login_flow_with_oidc_method.go index cdd5c665bdc5..c7ebbec5e248 100644 --- a/internal/httpclient/model_update_login_flow_with_oidc_method.go +++ b/internal/httpclient/model_update_login_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateLoginFlowWithOidcMethod Update Login Flow with OpenID Connect Method type UpdateLoginFlowWithOidcMethod struct { + // The Provider to register with + Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` - // The provider to register with - Provider string `json:"provider"` // The identity traits. This is a placeholder for the registration flow. Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateLoginFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateLoginFlowWithOidcMethod(method string, provider string) *UpdateLoginFlowWithOidcMethod { +func NewUpdateLoginFlowWithOidcMethod(provider string, method string) *UpdateLoginFlowWithOidcMethod { this := UpdateLoginFlowWithOidcMethod{} - this.Method = method this.Provider = provider + this.Method = method return &this } @@ -54,6 +54,30 @@ func NewUpdateLoginFlowWithOidcMethodWithDefaults() *UpdateLoginFlowWithOidcMeth return &this } +// GetProvider returns the Provider field value +func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -174,30 +198,6 @@ func (o *UpdateLoginFlowWithOidcMethod) SetMethod(v string) { o.Method = v } -// GetProvider returns the Provider field value -func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,6 +296,9 @@ func (o *UpdateLoginFlowWithOidcMethod) SetUpstreamParameters(v map[string]inter func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} + if true { + toSerialize["Provider"] = o.Provider + } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -308,9 +311,6 @@ func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } - if true { - toSerialize["provider"] = o.Provider - } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/httpclient/model_update_registration_flow_with_oidc_method.go b/internal/httpclient/model_update_registration_flow_with_oidc_method.go index 2ee32605fee6..d96f8bb21777 100644 --- a/internal/httpclient/model_update_registration_flow_with_oidc_method.go +++ b/internal/httpclient/model_update_registration_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateRegistrationFlowWithOidcMethod Update Registration Flow with OpenID Connect Method type UpdateRegistrationFlowWithOidcMethod struct { + // The Provider to register with + Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and is required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and is required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` - // The provider to register with - Provider string `json:"provider"` // The identity traits Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateRegistrationFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateRegistrationFlowWithOidcMethod(method string, provider string) *UpdateRegistrationFlowWithOidcMethod { +func NewUpdateRegistrationFlowWithOidcMethod(provider string, method string) *UpdateRegistrationFlowWithOidcMethod { this := UpdateRegistrationFlowWithOidcMethod{} - this.Method = method this.Provider = provider + this.Method = method return &this } @@ -54,6 +54,30 @@ func NewUpdateRegistrationFlowWithOidcMethodWithDefaults() *UpdateRegistrationFl return &this } +// GetProvider returns the Provider field value +func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -174,30 +198,6 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetMethod(v string) { o.Method = v } -// GetProvider returns the Provider field value -func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,6 +296,9 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetUpstreamParameters(v map[strin func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} + if true { + toSerialize["Provider"] = o.Provider + } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -308,9 +311,6 @@ func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } - if true { - toSerialize["provider"] = o.Provider - } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/httpclient/model_update_settings_flow_with_oidc_method.go b/internal/httpclient/model_update_settings_flow_with_oidc_method.go index c54a0d1251f3..6a1650c5c317 100644 --- a/internal/httpclient/model_update_settings_flow_with_oidc_method.go +++ b/internal/httpclient/model_update_settings_flow_with_oidc_method.go @@ -19,7 +19,7 @@ import ( type UpdateSettingsFlowWithOidcMethod struct { // Flow ID is the flow's ID. in: query Flow *string `json:"flow,omitempty"` - // Link this provider Either this or `unlink` must be set. type: string in: body + // Link this Provider Either this or `unlink` must be set. type: string in: body Link *string `json:"link,omitempty"` // Method Should be set to profile when trying to update a profile. Method string `json:"method"` @@ -27,9 +27,9 @@ type UpdateSettingsFlowWithOidcMethod struct { Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // Unlink this provider Either this or `link` must be set. type: string in: body + // Unlink this Provider Either this or `link` must be set. type: string in: body Unlink *string `json:"unlink,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } diff --git a/selfservice/strategy/oidc/fedcm/definitions.go b/selfservice/strategy/oidc/fedcm/definitions.go new file mode 100644 index 000000000000..aa6a90ebe6e7 --- /dev/null +++ b/selfservice/strategy/oidc/fedcm/definitions.go @@ -0,0 +1,121 @@ +// Copyright © 2025 Ory Corp +// SPDX-License-Identifier: Apache-2.0 + +package fedcm + +type Provider struct { + // A full path of the IdP config file. + ConfigURL string `json:"config_url"` + + // The RP's client identifier, issued by the IdP. + ClientID string `json:"client_id"` + + // A random string to ensure the response is issued for this specific request. + // Prevents replay attacks. + Nonce string `json:"nonce"` + + // By specifying one of login_hints values provided by the accounts endpoints, + // the FedCM dialog selectively shows the specified account. + LoginHint string `json:"login_hint,omitempty"` + + // By specifying one of domain_hints values provided by the accounts endpoints, + // the FedCM dialog selectively shows the specified account. + DomainHint string `json:"domain_hint,omitempty"` + + // Array of strings that specifies the user information ("name", " email", + // "picture") that RP needs IdP to share with them. + // + // Note: Field API is supported by Chrome 132 and later. + Fields []string `json:"fields,omitempty"` + + // Custom object that allows to specify additional key-value parameters: + // - scope: A string value containing additional permissions that RP needs to + // request, for example " drive.readonly calendar.readonly" + // - nonce: A random string to ensure the response is issued for this specific + // request. Prevents replay attacks. + // + // Other custom key-value parameters. + // + // Note: parameters is supported from Chrome 132. + Parameters map[string]string `json:"parameters,omitempty"` +} + +// GetParametersResponse +// +// Contains a list of all available FedCM providers. +// +// swagger:model getParametersResponse +type GetParametersResponse struct { + Providers []Provider `json:"providers"` + CSRFToken string `json:"csrf_token"` +} + +// swagger:route GET /self-service/fed-cm/parameters frontend getFedcmParameters +// +// # Get FedCM Parameters +// +// This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. +// +// Consumes: +// - application/json +// +// Produces: +// - application/json +// +// Schemes: http, https +// +// Responses: +// 200: getParametersResponse +// 400: errorGeneric +// default: errorGeneric + +type SubmitFedcmTokenBody struct { + // The provider to log in with. + Provider string `json:"provider"` + + // Token contains the result of `navigator.credentials.get`. + Token string `json:"token"` + + // Nonce is the nonce, used when generating the IDToken. If the provider supports + // nonce validation, the nonce will be validated against this value and required. + Nonce string `json:"nonce"` + + // CSRFToken is the anti-CSRF token. + CSRFToken string `json:"csrf_token"` +} + +// swagger:parameters submitFedcmToken +type submitFedcmToken struct { + // in: body + // required: true + Body SubmitFedcmTokenBody +} + +// swagger:route POST /self-service/fed-cm/token frontend submitFedcmToken +// +// # Submit a FedCM token +// +// Use this endpoint to submit a token from a FedCM provider through +// `navigator.credentials.get` and log the user in. The parameters from +// `navigator.credentials.get` must have come from `GET +// /self-service/fed-cm/parameters`. +// +// Consumes: +// - application/json +// - application/x-www-form-urlencoded +// +// Produces: +// - application/json +// +// Schemes: http, https +// +// Header: +// - Set-Cookie +// +// Responses: +// 200: successfulNativeLogin +// 303: emptyResponse +// 400: loginFlow +// 410: errorGeneric +// 422: errorBrowserLocationChangeRequired +// default: errorGeneric diff --git a/selfservice/strategy/oidc/pkce.go b/selfservice/strategy/oidc/pkce.go index 2b397c8702b7..c14e3d3f01e2 100644 --- a/selfservice/strategy/oidc/pkce.go +++ b/selfservice/strategy/oidc/pkce.go @@ -48,7 +48,7 @@ func maybePKCE(ctx context.Context, d pkceDependencies, _p Provider) (verifier s // autodiscover PKCE support pkceSupported, err := discoverPKCE(ctx, d, p) if err != nil { - d.Logger().WithError(err).Warnf("Failed to autodiscover PKCE support for provider %q. Continuing without PKCE.", p.Config().ID) + d.Logger().WithError(err).Warnf("Failed to autodiscover PKCE support for Provider %q. Continuing without PKCE.", p.Config().ID) return "" } if !pkceSupported { @@ -67,13 +67,13 @@ func discoverPKCE(ctx context.Context, d pkceDependencies, p OAuth2Provider) (pk ctx = gooidc.ClientContext(ctx, d.HTTPClient(ctx).HTTPClient) gp, err := gooidc.NewProvider(ctx, p.Config().IssuerURL) if err != nil { - return false, errors.Wrap(err, "failed to initialize provider") + return false, errors.Wrap(err, "failed to initialize Provider") } var claims struct { CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` } if err := gp.Claims(&claims); err != nil { - return false, errors.Wrap(err, "failed to deserialize provider claims") + return false, errors.Wrap(err, "failed to deserialize Provider claims") } return slices.Contains(claims.CodeChallengeMethodsSupported, "S256"), nil } diff --git a/selfservice/strategy/oidc/provider_apple.go b/selfservice/strategy/oidc/provider_apple.go index 7706eda9d9af..bc5523b22bbd 100644 --- a/selfservice/strategy/oidc/provider_apple.go +++ b/selfservice/strategy/oidc/provider_apple.go @@ -156,13 +156,13 @@ func (a *ProviderApple) DecodeQuery(query url.Values, claims *Claims) { var _ IDTokenVerifier = new(ProviderApple) -const issuerUrlApple = "https://appleid.apple.com" +const issuerURLApple = "https://appleid.apple.com" func (a *ProviderApple) Verify(ctx context.Context, rawIDToken string) (*Claims, error) { keySet := oidc.NewRemoteKeySet(ctx, a.JWKSUrl) - ctx = oidc.ClientContext(ctx, a.reg.HTTPClient(ctx).HTTPClient) - return verifyToken(ctx, keySet, a.config, rawIDToken, issuerUrlApple) + + return verifyToken(ctx, keySet, a.config, rawIDToken, issuerURLApple) } var _ NonceValidationSkipper = new(ProviderApple) diff --git a/selfservice/strategy/oidc/provider_config.go b/selfservice/strategy/oidc/provider_config.go index 92b16fdf5f42..e27dd6db25fc 100644 --- a/selfservice/strategy/oidc/provider_config.go +++ b/selfservice/strategy/oidc/provider_config.go @@ -128,6 +128,10 @@ type Configuration struct { // Instead of /self-service/methods/oidc/callback/, you must use /self-service/methods/oidc/callback // (Note the missing path segment and no trailing slash). PKCE string `json:"pkce"` + + // FedCMConfigURL is the URL to the FedCM IdP configuration file. + // This is only effective in the Ory Network. + FedCMConfigURL string `json:"fedcm_config_url"` } func (p Configuration) Redir(public *url.URL) string { @@ -178,6 +182,7 @@ var supportedProviders = map[string]func(config *Configuration, reg Dependencies "lark": NewProviderLark, "x": NewProviderX, "jackson": NewProviderJackson, + "fedcm-test": NewProviderTestFedcm, } func (c ConfigurationCollection) Provider(id string, reg Dependencies) (Provider, error) { diff --git a/selfservice/strategy/oidc/provider_google.go b/selfservice/strategy/oidc/provider_google.go index 4e009b318380..b1f758bd726b 100644 --- a/selfservice/strategy/oidc/provider_google.go +++ b/selfservice/strategy/oidc/provider_google.go @@ -78,6 +78,7 @@ const issuerUrlGoogle = "https://accounts.google.com" func (p *ProviderGoogle) Verify(ctx context.Context, rawIDToken string) (*Claims, error) { keySet := gooidc.NewRemoteKeySet(ctx, p.JWKSUrl) ctx = gooidc.ClientContext(ctx, p.reg.HTTPClient(ctx).HTTPClient) + return verifyToken(ctx, keySet, p.config, rawIDToken, issuerUrlGoogle) } diff --git a/selfservice/strategy/oidc/provider_netid.go b/selfservice/strategy/oidc/provider_netid.go index d936bf1b361c..93e3f3532cea 100644 --- a/selfservice/strategy/oidc/provider_netid.go +++ b/selfservice/strategy/oidc/provider_netid.go @@ -9,17 +9,16 @@ import ( "fmt" "net/url" "slices" + "testing" - gooidc "github.com/coreos/go-oidc/v3/oidc" - + "github.com/coreos/go-oidc/v3/oidc" "github.com/hashicorp/go-retryablehttp" "github.com/pkg/errors" "golang.org/x/oauth2" - "github.com/ory/x/urlx" - "github.com/ory/herodot" "github.com/ory/x/httpx" + "github.com/ory/x/urlx" ) const ( @@ -38,8 +37,8 @@ func NewProviderNetID( reg Dependencies, ) Provider { config.IssuerURL = fmt.Sprintf("%s://%s/", defaultBrokerScheme, defaultBrokerHost) - if !slices.Contains(config.Scope, gooidc.ScopeOpenID) { - config.Scope = append(config.Scope, gooidc.ScopeOpenID) + if !slices.Contains(config.Scope, oidc.ScopeOpenID) { + config.Scope = append(config.Scope, oidc.ScopeOpenID) } return &ProviderNetID{ @@ -118,6 +117,39 @@ func (n *ProviderNetID) Claims(ctx context.Context, exchange *oauth2.Token, _ ur return &userinfo, nil } +func (n *ProviderNetID) Verify(ctx context.Context, rawIDToken string) (*Claims, error) { + provider, err := n.provider(ctx) + if err != nil { + return nil, err + } + + idToken, err := provider.VerifierContext( + n.withHTTPClientContext(ctx), + &oidc.Config{ + ClientID: n.config.ClientID, + InsecureSkipSignatureCheck: testing.Testing(), + }, + ).Verify(ctx, rawIDToken) + if err != nil { + return nil, err + } + + var ( + claims Claims + rawClaims map[string]any + ) + + if err = idToken.Claims(&claims); err != nil { + return nil, err + } + if err = idToken.Claims(&rawClaims); err != nil { + return nil, err + } + claims.RawClaims = rawClaims + + return &claims, nil +} + func (n *ProviderNetID) brokerURL() *url.URL { return &url.URL{Scheme: defaultBrokerScheme, Host: defaultBrokerHost} } diff --git a/selfservice/strategy/oidc/provider_test_fedcm.go b/selfservice/strategy/oidc/provider_test_fedcm.go new file mode 100644 index 000000000000..5ea002faa74b --- /dev/null +++ b/selfservice/strategy/oidc/provider_test_fedcm.go @@ -0,0 +1,49 @@ +// Copyright © 2023 Ory Corp +// SPDX-License-Identifier: Apache-2.0 + +package oidc + +import ( + "context" + + "github.com/golang-jwt/jwt/v5" +) + +// ProviderTestFedcm is a mock provider to test FedCM. +type ProviderTestFedcm struct { + *ProviderGenericOIDC +} + +var _ OAuth2Provider = (*ProviderTestFedcm)(nil) + +func NewProviderTestFedcm( + config *Configuration, + reg Dependencies, +) Provider { + return &ProviderTestFedcm{ + ProviderGenericOIDC: &ProviderGenericOIDC{ + config: config, + reg: reg, + }, + } +} + +func (g *ProviderTestFedcm) Verify(_ context.Context, rawIDToken string) (claims *Claims, err error) { + rawClaims := &struct { + Claims + jwt.MapClaims + }{} + _, err = jwt.ParseWithClaims(rawIDToken, rawClaims, func(token *jwt.Token) (interface{}, error) { + return []byte(`xxxxxxx`), nil + }, jwt.WithoutClaimsValidation()) + if err != nil { + return nil, err + } + rawClaims.Issuer = "https://example.com/fedcm" + + if err = rawClaims.Claims.Validate(); err != nil { + return nil, err + } + + return &rawClaims.Claims, nil +} diff --git a/selfservice/strategy/oidc/provider_test_fedcm_test.go b/selfservice/strategy/oidc/provider_test_fedcm_test.go new file mode 100644 index 000000000000..715441d29dff --- /dev/null +++ b/selfservice/strategy/oidc/provider_test_fedcm_test.go @@ -0,0 +1,26 @@ +// Copyright © 2025 Ory Corp +// SPDX-License-Identifier: Apache-2.0 + +package oidc_test + +import ( + "context" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/ory/kratos/internal" + "github.com/ory/kratos/selfservice/strategy/oidc" +) + +func TestFedcmTestProvider(t *testing.T) { + _, reg := internal.NewVeryFastRegistryWithoutDB(t) + + p := oidc.NewProviderTestFedcm(&oidc.Configuration{}, reg) + + rawToken := `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI1NWVlMjgxNC02ZTQ4LTRmZTktYWIzNS1mM2QxYzczM2I3ZTciLCJub25jZSI6ImVkOWM0ZDcyMDZkMDc1YTg4NjY0ZmE3YjMwY2Q5ZGE2NGU4ZTkwMjY5MGJhZmI2YjNmMmY2OWU5YzU1ZGUyNTcwOTFlYTk3ZTFiZTFiYjdiNDZmMjJjYzY0ZSIsImV4cCI6MTczNzU1ODM4MTk3MSwiaWF0IjoxNzM3NDcxOTgxOTcxLCJlbWFpbCI6InhweGN3dnU1YjRuemZvdGZAZXhhbXBsZS5jb20iLCJuYW1lIjoiVXNlciBOYW1lIiwicGljdHVyZSI6Imh0dHBzOi8vYXBpLmRpY2ViZWFyLmNvbS83LngvYm90dHRzL3BuZz9zZWVkPSUyNDJiJTI0MTAlMjR5WEs3eWozNEg4SkhCNm8zOG1sc2xlYzl1WkozZ2F2UGlDaFdaeFFIbnk3VkFKRlouS3RGZSJ9.GnSP_x8J_yS5wrTwtB6B-BydYYljrpVjQjS2vZ5D8Hg` + + claims, err := p.(oidc.IDTokenVerifier).Verify(context.Background(), rawToken) + require.NoError(t, err) + require.NotNil(t, claims) +} diff --git a/selfservice/strategy/oidc/strategy.go b/selfservice/strategy/oidc/strategy.go index f04f06d35899..cc7900b2d1b2 100644 --- a/selfservice/strategy/oidc/strategy.go +++ b/selfservice/strategy/oidc/strategy.go @@ -402,22 +402,22 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt req, state, cntnr, err := s.ValidateCallback(w, r, ps) if err != nil { if req != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) } else { - s.d.SelfServiceErrorManager().Forward(ctx, w, r, s.handleError(ctx, w, r, nil, "", nil, err)) + s.d.SelfServiceErrorManager().Forward(ctx, w, r, s.HandleError(ctx, w, r, nil, "", nil, err)) } return } if authenticated, err := s.alreadyAuthenticated(ctx, w, r, req); err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) } else if authenticated { return } - provider, err := s.provider(ctx, state.ProviderId) + provider, err := s.Provider(ctx, state.ProviderId) if err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } @@ -427,37 +427,37 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt case OAuth2Provider: token, err := s.exchangeCode(ctx, p, code, PKCEVerifier(state)) if err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } et, err = s.encryptOAuth2Tokens(ctx, token) if err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } claims, err = p.Claims(ctx, token, r.URL.Query()) if err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } case OAuth1Provider: token, err := p.ExchangeToken(ctx, r) if err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } claims, err = p.Claims(ctx, token) if err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } } if err = claims.Validate(); err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } @@ -467,15 +467,15 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt case *login.Flow: a.Active = s.ID() a.TransientPayload = cntnr.TransientPayload - if ff, err := s.processLogin(ctx, w, r, a, et, claims, provider, cntnr); err != nil { + if ff, err := s.ProcessLogin(ctx, w, r, a, et, claims, provider, cntnr); err != nil { if errors.Is(err, flow.ErrCompletedByStrategy) { return } if ff != nil { - s.forwardError(ctx, w, r, ff, err) + s.ForwardError(ctx, w, r, ff, err) return } - s.forwardError(ctx, w, r, a, err) + s.ForwardError(ctx, w, r, a, err) } return case *registration.Flow: @@ -483,10 +483,10 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt a.TransientPayload = cntnr.TransientPayload if ff, err := s.processRegistration(ctx, w, r, a, et, claims, provider, cntnr); err != nil { if ff != nil { - s.forwardError(ctx, w, r, ff, err) + s.ForwardError(ctx, w, r, ff, err) return } - s.forwardError(ctx, w, r, a, err) + s.ForwardError(ctx, w, r, a, err) } return case *settings.Flow: @@ -494,16 +494,16 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt a.TransientPayload = cntnr.TransientPayload sess, err := s.d.SessionManager().FetchFromRequest(ctx, r) if err != nil { - s.forwardError(ctx, w, r, a, s.handleError(ctx, w, r, a, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, a, s.HandleError(ctx, w, r, a, state.ProviderId, nil, err)) return } if err := s.linkProvider(ctx, w, r, &settings.UpdateContext{Session: sess, Flow: a}, et, claims, provider); err != nil { - s.forwardError(ctx, w, r, a, s.handleError(ctx, w, r, a, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, a, s.HandleError(ctx, w, r, a, state.ProviderId, nil, err)) return } return default: - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, errors.WithStack(x.PseudoPanic. + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, errors.WithStack(x.PseudoPanic. WithDetailf("cause", "Unexpected type in OpenID Connect flow: %T", a)))) return } @@ -555,7 +555,7 @@ func (s *Strategy) Config(ctx context.Context) (*ConfigurationCollection, error) return &c, nil } -func (s *Strategy) provider(ctx context.Context, id string) (Provider, error) { +func (s *Strategy) Provider(ctx context.Context, id string) (Provider, error) { if c, err := s.Config(ctx); err != nil { return nil, err } else if provider, err := c.Provider(id, s.d); err != nil { @@ -565,7 +565,7 @@ func (s *Strategy) provider(ctx context.Context, id string) (Provider, error) { } } -func (s *Strategy) forwardError(ctx context.Context, w http.ResponseWriter, r *http.Request, f flow.Flow, err error) { +func (s *Strategy) ForwardError(ctx context.Context, w http.ResponseWriter, r *http.Request, f flow.Flow, err error) { switch ff := f.(type) { case *login.Flow: s.d.LoginFlowErrorHandler().WriteFlowError(w, r, ff, s.NodeGroup(), err) @@ -582,7 +582,7 @@ func (s *Strategy) forwardError(ctx context.Context, w http.ResponseWriter, r *h } } -func (s *Strategy) handleError(ctx context.Context, w http.ResponseWriter, r *http.Request, f flow.Flow, usedProviderID string, traits []byte, err error) error { +func (s *Strategy) HandleError(ctx context.Context, w http.ResponseWriter, r *http.Request, f flow.Flow, usedProviderID string, traits []byte, err error) error { switch rf := f.(type) { case *login.Flow: return err @@ -664,7 +664,7 @@ func (s *Strategy) handleError(ctx context.Context, w http.ResponseWriter, r *ht func (s *Strategy) populateAccountLinkingUI(ctx context.Context, lf *login.Flow, usedProviderID string, duplicateIdentifier string, availableCredentials []string, availableProviders []string) { newLoginURL := s.d.Config().SelfServiceFlowLoginUI(ctx).String() usedProviderLabel := usedProviderID - provider, _ := s.provider(ctx, usedProviderID) + provider, _ := s.Provider(ctx, usedProviderID) if provider != nil && provider.Config() != nil { usedProviderLabel = provider.Config().Label if usedProviderLabel == "" { @@ -680,13 +680,13 @@ func (s *Strategy) populateAccountLinkingUI(ctx context.Context, lf *login.Flow, continue } - // Skip the provider that was used to get here (in case they used an OIDC provider) + // Skip the Provider that was used to get here (in case they used an OIDC Provider) pID := gjson.GetBytes(n.Meta.Label.Context, "provider_id").String() if n.Group == node.OpenIDConnectGroup { if pID == usedProviderID { continue } - // Hide any provider that is not available for the user + // Hide any Provider that is not available for the user if loginHintsEnabled && !slices.Contains(availableProviders, pID) { continue } @@ -697,7 +697,7 @@ func (s *Strategy) populateAccountLinkingUI(ctx context.Context, lf *login.Flow, case text.InfoSelfServiceLogin: n.Meta.Label = text.NewInfoLoginAndLink() case text.InfoSelfServiceLoginWith: - p := gjson.GetBytes(n.Meta.Label.Context, "provider").String() + p := gjson.GetBytes(n.Meta.Label.Context, "Provider").String() n.Meta.Label = text.NewInfoLoginWithAndLink(p) } @@ -742,18 +742,18 @@ func (s *Strategy) CompletedAuthenticationMethod(ctx context.Context) session.Au } } -func (s *Strategy) processIDToken(r *http.Request, provider Provider, idToken, idTokenNonce string) (*Claims, error) { +func (s *Strategy) ProcessIDToken(r *http.Request, provider Provider, idToken, idTokenNonce string) (*Claims, error) { verifier, ok := provider.(IDTokenVerifier) if !ok { - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The provider %s does not support id_token verification", provider.Config().Provider)) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The Provider %s does not support id_token verification", provider.Config().Provider)) } claims, err := verifier.Verify(r.Context(), idToken) if err != nil { - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Could not verify id_token").WithError(err.Error())) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("Could not verify id_token").WithError(err.Error())) } if err := claims.Validate(); err != nil { - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The id_token claims were invalid").WithError(err.Error())) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The id_token claims were invalid").WithError(err.Error())) } // First check if the JWT contains the nonce claim. @@ -761,17 +761,17 @@ func (s *Strategy) processIDToken(r *http.Request, provider Provider, idToken, i // If it doesn't, check if the provider supports nonces. if nonceSkipper, ok := verifier.(NonceValidationSkipper); !ok || !nonceSkipper.CanSkipNonce(claims) { // If the provider supports nonces, abort the flow! - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was included in the id_token but is required by the provider")) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was included in the id_token but is required by the Provider")) } // If the provider does not support nonces, we don't do validation and return the claim. // This case only applies to Apple, as some of their devices do not support nonces. // https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple } else if idTokenNonce == "" { // A nonce was present in the JWT token, but no nonce was submitted in the flow - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was provided but is required by the provider")) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was provided but is required by the Provider")) } else if idTokenNonce != claims.Nonce { // The nonce from the JWT token does not match the nonce from the flow. - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The supplied nonce does not match the nonce from the id_token")) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The supplied nonce does not match the nonce from the id_token")) } // Nonce checking was successful @@ -780,7 +780,7 @@ func (s *Strategy) processIDToken(r *http.Request, provider Provider, idToken, i func (s *Strategy) linkCredentials(ctx context.Context, i *identity.Identity, tokens *identity.CredentialsOIDCEncryptedTokens, provider, subject, organization string) (err error) { ctx, span := s.d.Tracer(ctx).Tracer().Start(ctx, "strategy.oidc.linkCredentials", trace.WithAttributes( - attribute.String("provider", provider), + attribute.String("Provider", provider), // attribute.String("subject", subject), // PII attribute.String("organization", organization))) defer otelx.End(span, &err) diff --git a/selfservice/strategy/oidc/strategy_login.go b/selfservice/strategy/oidc/strategy_login.go index ffe04c7c3e75..3f8d716d74a0 100644 --- a/selfservice/strategy/oidc/strategy_login.go +++ b/selfservice/strategy/oidc/strategy_login.go @@ -98,7 +98,7 @@ type UpdateLoginFlowWithOidcMethod struct { TransientPayload json.RawMessage `json:"transient_payload,omitempty" form:"transient_payload"` } -func (s *Strategy) processLogin(ctx context.Context, w http.ResponseWriter, r *http.Request, loginFlow *login.Flow, token *identity.CredentialsOIDCEncryptedTokens, claims *Claims, provider Provider, container *AuthCodeContainer) (_ *registration.Flow, err error) { +func (s *Strategy) ProcessLogin(ctx context.Context, w http.ResponseWriter, r *http.Request, loginFlow *login.Flow, token *identity.CredentialsOIDCEncryptedTokens, claims *Claims, provider Provider, container *AuthCodeContainer) (_ *registration.Flow, err error) { ctx, span := s.d.Tracer(ctx).Tracer().Start(ctx, "selfservice.strategy.oidc.Strategy.processLogin") defer otelx.End(span, &err) @@ -133,12 +133,12 @@ func (s *Strategy) processLogin(ctx context.Context, w http.ResponseWriter, r *h registrationFlow, err := s.d.RegistrationHandler().NewRegistrationFlow(w, r, loginFlow.Type, opts...) if err != nil { - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) } err = s.d.SessionTokenExchangePersister().MoveToNewFlow(ctx, loginFlow.ID, registrationFlow.ID) if err != nil { - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) } registrationFlow.OrganizationID = loginFlow.OrganizationID @@ -157,12 +157,12 @@ func (s *Strategy) processLogin(ctx context.Context, w http.ResponseWriter, r *h return nil, nil } - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) } var oidcCredentials identity.CredentialsOIDC if err := json.NewDecoder(bytes.NewBuffer(c.Config)).Decode(&oidcCredentials); err != nil { - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("The password credentials could not be decoded properly").WithDebug(err.Error()))) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("The password credentials could not be decoded properly").WithDebug(err.Error()))) } sess := session.NewInactiveSession() @@ -171,13 +171,13 @@ func (s *Strategy) processLogin(ctx context.Context, w http.ResponseWriter, r *h for _, c := range oidcCredentials.Providers { if c.Subject == claims.Subject && c.Provider == provider.Config().ID { if err = s.d.LoginHookExecutor().PostLoginHook(w, r, node.OpenIDConnectGroup, loginFlow, i, sess, provider.Config().ID); err != nil { - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) } return nil, nil } } - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Unable to find matching OpenID Connect Credentials.").WithDebugf(`Unable to find credentials that match the given provider "%s" and subject "%s".`, provider.Config().ID, claims.Subject))) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Unable to find matching OpenID Connect Credentials.").WithDebugf(`Unable to find credentials that match the given Provider "%s" and subject "%s".`, provider.Config().ID, claims.Subject))) } func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, _ *session.Session) (i *identity.Identity, err error) { @@ -191,7 +191,7 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, var p UpdateLoginFlowWithOidcMethod if err := s.newLinkDecoder(ctx, &p, r); err != nil { - return nil, s.handleError(ctx, w, r, f, "", nil, err) + return nil, s.HandleError(ctx, w, r, f, "", nil, err) } f.IDToken = p.IDToken @@ -216,43 +216,43 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, } if err := flow.MethodEnabledAndAllowed(ctx, f.GetFlowName(), s.SettingsStrategyID(), s.SettingsStrategyID(), s.d); err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, s.handleMethodNotAllowedError(err)) + return nil, s.HandleError(ctx, w, r, f, pid, nil, s.handleMethodNotAllowedError(err)) } - provider, err := s.provider(ctx, pid) + provider, err := s.Provider(ctx, pid) if err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } req, err := s.validateFlow(ctx, r, f.ID) if err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } if authenticated, err := s.alreadyAuthenticated(ctx, w, r, req); err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } else if authenticated { return i, nil } if p.IDToken != "" { - claims, err := s.processIDToken(r, provider, p.IDToken, p.IDTokenNonce) + claims, err := s.ProcessIDToken(r, provider, p.IDToken, p.IDTokenNonce) if err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } - _, err = s.processLogin(ctx, w, r, f, nil, claims, provider, &AuthCodeContainer{ + _, err = s.ProcessLogin(ctx, w, r, f, nil, claims, provider, &AuthCodeContainer{ FlowID: f.ID.String(), Traits: p.Traits, }) if err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } return nil, errors.WithStack(flow.ErrCompletedByStrategy) } state, pkce, err := s.GenerateState(ctx, provider, f.ID) if err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } if err := s.d.ContinuityManager().Pause(ctx, w, r, sessionName, continuity.WithPayload(&AuthCodeContainer{ @@ -262,12 +262,12 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, TransientPayload: f.TransientPayload, }), continuity.WithLifespan(time.Minute*30)); err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } f.Active = s.ID() if err = s.d.LoginFlowPersister().UpdateLoginFlow(ctx, f); err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Could not update flow").WithDebug(err.Error()))) + return nil, s.HandleError(ctx, w, r, f, pid, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Could not update flow").WithDebug(err.Error()))) } var up map[string]string @@ -277,7 +277,7 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, codeURL, err := getAuthRedirectURL(ctx, provider, f, state, up, pkce) if err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } if x.IsJSONRequest(r) { diff --git a/selfservice/strategy/oidc/strategy_registration.go b/selfservice/strategy/oidc/strategy_registration.go index ccb6287cdfb2..9a06bfedd138 100644 --- a/selfservice/strategy/oidc/strategy_registration.go +++ b/selfservice/strategy/oidc/strategy_registration.go @@ -156,7 +156,7 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat var p UpdateRegistrationFlowWithOidcMethod if err := s.newLinkDecoder(ctx, &p, r); err != nil { - return s.handleError(ctx, w, r, f, "", nil, err) + return s.HandleError(ctx, w, r, f, "", nil, err) } pid := p.Provider // this can come from both url query and post body @@ -181,29 +181,29 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat } if err := flow.MethodEnabledAndAllowed(ctx, f.GetFlowName(), s.SettingsStrategyID(), s.SettingsStrategyID(), s.d); err != nil { - return s.handleError(ctx, w, r, f, pid, nil, s.handleMethodNotAllowedError(err)) + return s.HandleError(ctx, w, r, f, pid, nil, s.handleMethodNotAllowedError(err)) } - provider, err := s.provider(ctx, pid) + provider, err := s.Provider(ctx, pid) if err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } req, err := s.validateFlow(ctx, r, f.ID) if err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } if authenticated, err := s.alreadyAuthenticated(ctx, w, r, req); err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } else if authenticated { return errors.WithStack(registration.ErrAlreadyLoggedIn) } if p.IDToken != "" { - claims, err := s.processIDToken(r, provider, p.IDToken, p.IDTokenNonce) + claims, err := s.ProcessIDToken(r, provider, p.IDToken, p.IDTokenNonce) if err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } _, err = s.processRegistration(ctx, w, r, f, nil, claims, provider, &AuthCodeContainer{ FlowID: f.ID.String(), @@ -211,14 +211,14 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat TransientPayload: f.TransientPayload, }) if err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } return errors.WithStack(flow.ErrCompletedByStrategy) } state, pkce, err := s.GenerateState(ctx, provider, f.ID) if err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } if err := s.d.ContinuityManager().Pause(ctx, w, r, sessionName, continuity.WithPayload(&AuthCodeContainer{ @@ -228,7 +228,7 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat TransientPayload: f.TransientPayload, }), continuity.WithLifespan(time.Minute*30)); err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } var up map[string]string @@ -238,7 +238,7 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat codeURL, err := getAuthRedirectURL(ctx, provider, f, state, up, pkce) if err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } if x.IsJSONRequest(r) { s.d.Writer().WriteError(w, r, flow.NewBrowserLocationChangeRequiredError(codeURL)) @@ -299,17 +299,17 @@ func (s *Strategy) processRegistration(ctx context.Context, w http.ResponseWrite // not need additional consent/login. // This is kinda hacky but the only way to ensure seamless login/registration flows when using OIDC. - s.d.Logger().WithRequest(r).WithField("provider", provider.Config().ID). + s.d.Logger().WithRequest(r).WithField("Provider", provider.Config().ID). WithField("subject", claims.Subject). Debug("Received successful OpenID Connect callback but user is already registered. Re-initializing login flow now.") lf, err := s.registrationToLogin(ctx, w, r, rf) if err != nil { - return nil, s.handleError(ctx, w, r, rf, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, nil, err) } - if _, err := s.processLogin(ctx, w, r, lf, token, claims, provider, container); err != nil { - return lf, s.handleError(ctx, w, r, rf, provider.Config().ID, nil, err) + if _, err := s.ProcessLogin(ctx, w, r, lf, token, claims, provider, container); err != nil { + return lf, s.HandleError(ctx, w, r, rf, provider.Config().ID, nil, err) } return nil, nil @@ -318,17 +318,17 @@ func (s *Strategy) processRegistration(ctx context.Context, w http.ResponseWrite fetch := fetcher.NewFetcher(fetcher.WithClient(s.d.HTTPClient(ctx)), fetcher.WithCache(jsonnetCache, 60*time.Minute)) jsonnetMapperSnippet, err := fetch.FetchContext(ctx, provider.Config().Mapper) if err != nil { - return nil, s.handleError(ctx, w, r, rf, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, nil, err) } i, va, err := s.createIdentity(ctx, w, r, rf, claims, provider, container, jsonnetMapperSnippet.Bytes()) if err != nil { - return nil, s.handleError(ctx, w, r, rf, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, nil, err) } // Validate the identity itself if err := s.d.IdentityValidator().Validate(ctx, i); err != nil { - return nil, s.handleError(ctx, w, r, rf, provider.Config().ID, i.Traits, err) + return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, i.Traits, err) } for n := range i.VerifiableAddresses { @@ -345,12 +345,12 @@ func (s *Strategy) processRegistration(ctx context.Context, w http.ResponseWrite creds, err := identity.NewCredentialsOIDC(token, provider.Config().ID, claims.Subject, provider.Config().OrganizationID) if err != nil { - return nil, s.handleError(ctx, w, r, rf, provider.Config().ID, i.Traits, err) + return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, i.Traits, err) } i.SetCredentials(s.ID(), *creds) if err := s.d.RegistrationExecutor().PostRegistrationHook(w, r, s.ID(), provider.Config().ID, provider.Config().OrganizationID, rf, i); err != nil { - return nil, s.handleError(ctx, w, r, rf, provider.Config().ID, i.Traits, err) + return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, i.Traits, err) } return nil, nil @@ -359,36 +359,36 @@ func (s *Strategy) processRegistration(ctx context.Context, w http.ResponseWrite func (s *Strategy) createIdentity(ctx context.Context, w http.ResponseWriter, r *http.Request, a *registration.Flow, claims *Claims, provider Provider, container *AuthCodeContainer, jsonnetSnippet []byte) (*identity.Identity, []VerifiedAddress, error) { var jsonClaims bytes.Buffer if err := json.NewEncoder(&jsonClaims).Encode(claims); err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, nil, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, nil, err) } vm, err := s.d.JsonnetVM(ctx) if err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, nil, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, nil, err) } vm.ExtCode("claims", jsonClaims.String()) evaluated, err := vm.EvaluateAnonymousSnippet(provider.Config().Mapper, string(jsonnetSnippet)) if err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, nil, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, nil, err) } i := identity.NewIdentity(s.d.Config().DefaultIdentityTraitsSchemaID(ctx)) if err := s.setTraits(ctx, w, r, a, provider, container, evaluated, i); err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) } if err := s.setMetadata(evaluated, i, PublicMetadata); err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) } if err := s.setMetadata(evaluated, i, AdminMetadata); err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) } va, err := s.extractVerifiedAddresses(evaluated) if err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) } if orgID, err := uuid.FromString(provider.Config().OrganizationID); err == nil { @@ -414,7 +414,7 @@ func (s *Strategy) setTraits(ctx context.Context, w http.ResponseWriter, r *http if container != nil { traits, err := merge(container.Traits, json.RawMessage(jsonTraits.Raw)) if err != nil { - return s.handleError(ctx, w, r, a, provider.Config().ID, nil, err) + return s.HandleError(ctx, w, r, a, provider.Config().ID, nil, err) } i.Traits = traits diff --git a/selfservice/strategy/oidc/strategy_settings.go b/selfservice/strategy/oidc/strategy_settings.go index fa82ab5a1499..cf76e9f2feb3 100644 --- a/selfservice/strategy/oidc/strategy_settings.go +++ b/selfservice/strategy/oidc/strategy_settings.go @@ -359,7 +359,7 @@ func (s *Strategy) initLinkProvider(ctx context.Context, w http.ResponseWriter, return s.handleSettingsError(ctx, w, r, ctxUpdate, p, errors.WithStack(settings.NewFlowNeedsReAuth())) } - provider, err := s.provider(ctx, p.Link) + provider, err := s.Provider(ctx, p.Link) if err != nil { return s.handleSettingsError(ctx, w, r, ctxUpdate, p, err) } diff --git a/selfservice/strategy/oidc/token_verifier.go b/selfservice/strategy/oidc/token_verifier.go index ce9cb8b3d3ee..42b16767a041 100644 --- a/selfservice/strategy/oidc/token_verifier.go +++ b/selfservice/strategy/oidc/token_verifier.go @@ -35,8 +35,19 @@ func verifyToken(ctx context.Context, keySet oidc.KeySet, config *Configuration, return nil, fmt.Errorf("token audience didn't match allowed audiences: %+v %w", tokenAudiences, err) } claims := &Claims{} + var rawClaims map[string]any + + if token == nil { + return nil, fmt.Errorf("token is nil") + } + if err := token.Claims(claims); err != nil { return nil, err } + if err = token.Claims(&rawClaims); err != nil { + return nil, err + } + claims.RawClaims = rawClaims + return claims, nil } diff --git a/spec/api.json b/spec/api.json index 210e6cca8592..299ca2331d2e 100644 --- a/spec/api.json +++ b/spec/api.json @@ -413,10 +413,57 @@ }, "type": "object" }, + "Provider": { + "properties": { + "client_id": { + "description": "The RP's client identifier, issued by the IdP.", + "type": "string" + }, + "config_url": { + "description": "A full path of the IdP config file.", + "type": "string" + }, + "domain_hint": { + "description": "By specifying one of domain_hints values provided by the accounts endpoints,\nthe FedCM dialog selectively shows the specified account.", + "type": "string" + }, + "fields": { + "description": "Array of strings that specifies the user information (\"name\", \" email\",\n\"picture\") that RP needs IdP to share with them.\n\nNote: Field API is supported by Chrome 132 and later.", + "items": { + "type": "string" + }, + "type": "array" + }, + "login_hint": { + "description": "By specifying one of login_hints values provided by the accounts endpoints,\nthe FedCM dialog selectively shows the specified account.", + "type": "string" + }, + "nonce": { + "description": "A random string to ensure the response is issued for this specific request.\nPrevents replay attacks.", + "type": "string" + }, + "parameters": { + "additionalProperties": { + "type": "string" + }, + "description": "Custom object that allows to specify additional key-value parameters:\nscope: A string value containing additional permissions that RP needs to\nrequest, for example \" drive.readonly calendar.readonly\"\nnonce: A random string to ensure the response is issued for this specific\nrequest. Prevents replay attacks.\n\nOther custom key-value parameters.\n\nNote: parameters is supported from Chrome 132.", + "type": "object" + } + }, + "type": "object" + }, "RecoveryAddressType": { "title": "RecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema.", "type": "string" }, + "SubmitFedcmTokenBody": { + "properties": { + "token": { + "type": "string" + } + }, + "type": "object" + }, "Time": { "format": "date-time", "type": "string" @@ -905,6 +952,22 @@ ], "type": "object" }, + "getParametersResponse": { + "description": "Contains a list of all available FedCM providers.", + "properties": { + "csrf_token": { + "type": "string" + }, + "providers": { + "items": { + "$ref": "#/components/schemas/Provider" + }, + "type": "array" + } + }, + "title": "GetParametersResponse", + "type": "object" + }, "healthNotReadyStatus": { "properties": { "errors": { @@ -2819,26 +2882,26 @@ "updateLoginFlowWithOidcMethod": { "description": "Update Login Flow with OpenID Connect Method", "properties": { + "Provider": { + "description": "The Provider to register with", + "type": "string" + }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, - "provider": { - "description": "The provider to register with", - "type": "string" - }, "traits": { "description": "The identity traits. This is a placeholder for the registration flow.", "type": "object" @@ -2848,12 +2911,12 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }, "required": [ - "provider", + "Provider", "method" ], "type": "object" @@ -3124,26 +3187,26 @@ "updateRegistrationFlowWithOidcMethod": { "description": "Update Registration Flow with OpenID Connect Method", "properties": { + "Provider": { + "description": "The Provider to register with", + "type": "string" + }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and is required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and is required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, - "provider": { - "description": "The provider to register with", - "type": "string" - }, "traits": { "description": "The identity traits", "type": "object" @@ -3153,12 +3216,12 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }, "required": [ - "provider", + "Provider", "method" ], "type": "object" @@ -3376,7 +3439,7 @@ "type": "string" }, "link": { - "description": "Link this provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", + "description": "Link this Provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", "type": "string" }, "method": { @@ -3392,11 +3455,11 @@ "type": "object" }, "unlink": { - "description": "Unlink this provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", + "description": "Unlink this Provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", "type": "string" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }, @@ -5485,6 +5548,129 @@ ] } }, + "/self-service/fed-cm/parameters": { + "get": { + "description": "This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network.", + "operationId": "getFedcmParameters", + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/getParametersResponse" + } + } + }, + "description": "getParametersResponse" + }, + "400": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + } + }, + "summary": "Get FedCM Parameters", + "tags": [ + "frontend" + ] + } + }, + "/self-service/fed-cm/token": { + "post": { + "description": "Use this endpoint to submit a token from a FedCM provider through\n`navigator.credentials.get` and log the user in. The parameters from\n`navigator.credentials.get` must have come from `GET\nself-service/fed-cm/parameters`.", + "operationId": "submitFedcmToken", + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SubmitFedcmTokenBody" + } + }, + "application/x-www-form-urlencoded": { + "schema": { + "$ref": "#/components/schemas/SubmitFedcmTokenBody" + } + } + }, + "required": true, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/successfulNativeLogin" + } + } + }, + "description": "successfulNativeLogin" + }, + "303": { + "$ref": "#/components/responses/emptyResponse" + }, + "400": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/loginFlow" + } + } + }, + "description": "loginFlow" + }, + "410": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + }, + "422": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorBrowserLocationChangeRequired" + } + } + }, + "description": "errorBrowserLocationChangeRequired" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + } + }, + "summary": "Submit a FedCM token", + "tags": [ + "frontend" + ] + } + }, "/self-service/login": { "post": { "description": "Use this endpoint to complete a login flow. This endpoint\nbehaves differently for API and browser flows.\n\nAPI flows expect `application/json` to be sent in the body and responds with\nHTTP 200 and a application/json body with the session token on success;\nHTTP 410 if the original flow expired with the appropriate error messages set and optionally a `use_flow_id` parameter in the body;\nHTTP 400 on form validation errors.\n\nBrowser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with\na HTTP 303 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;\na HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.\n\nBrowser flows with an accept header of `application/json` will not redirect but instead respond with\nHTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;\nHTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;\nHTTP 400 on form validation errors.\n\nIf this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n`browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.\nMost likely used in Social Sign In flows.\n\nMore information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).", diff --git a/spec/swagger.json b/spec/swagger.json index f2f4f05ab25b..e0e2374259c6 100755 --- a/spec/swagger.json +++ b/spec/swagger.json @@ -1477,6 +1477,112 @@ } } }, + "/self-service/fed-cm/parameters": { + "get": { + "description": "This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network.", + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "schemes": [ + "http", + "https" + ], + "tags": [ + "frontend" + ], + "summary": "Get FedCM Parameters", + "operationId": "getFedcmParameters", + "responses": { + "200": { + "description": "getParametersResponse", + "schema": { + "$ref": "#/definitions/getParametersResponse" + } + }, + "400": { + "description": "errorGeneric", + "schema": { + "$ref": "#/definitions/errorGeneric" + } + }, + "default": { + "description": "errorGeneric", + "schema": { + "$ref": "#/definitions/errorGeneric" + } + } + } + } + }, + "/self-service/fed-cm/token": { + "post": { + "description": "Use this endpoint to submit a token from a FedCM provider through\n`navigator.credentials.get` and log the user in. The parameters from\n`navigator.credentials.get` must have come from `GET\nself-service/fed-cm/parameters`.", + "consumes": [ + "application/json", + "application/x-www-form-urlencoded" + ], + "produces": [ + "application/json" + ], + "schemes": [ + "http", + "https" + ], + "tags": [ + "frontend" + ], + "summary": "Submit a FedCM token", + "operationId": "submitFedcmToken", + "parameters": [ + { + "name": "Body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/SubmitFedcmTokenBody" + } + } + ], + "responses": { + "200": { + "description": "successfulNativeLogin", + "schema": { + "$ref": "#/definitions/successfulNativeLogin" + } + }, + "303": { + "$ref": "#/responses/emptyResponse" + }, + "400": { + "description": "loginFlow", + "schema": { + "$ref": "#/definitions/loginFlow" + } + }, + "410": { + "description": "errorGeneric", + "schema": { + "$ref": "#/definitions/errorGeneric" + } + }, + "422": { + "description": "errorBrowserLocationChangeRequired", + "schema": { + "$ref": "#/definitions/errorBrowserLocationChangeRequired" + } + }, + "default": { + "description": "errorGeneric", + "schema": { + "$ref": "#/definitions/errorGeneric" + } + } + } + } + }, "/self-service/login": { "post": { "description": "Use this endpoint to complete a login flow. This endpoint\nbehaves differently for API and browser flows.\n\nAPI flows expect `application/json` to be sent in the body and responds with\nHTTP 200 and a application/json body with the session token on success;\nHTTP 410 if the original flow expired with the appropriate error messages set and optionally a `use_flow_id` parameter in the body;\nHTTP 400 on form validation errors.\n\nBrowser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with\na HTTP 303 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;\na HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.\n\nBrowser flows with an accept header of `application/json` will not redirect but instead respond with\nHTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;\nHTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;\nHTTP 400 on form validation errors.\n\nIf this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n`browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.\nMost likely used in Social Sign In flows.\n\nMore information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).", @@ -3610,10 +3716,57 @@ } } }, + "Provider": { + "type": "object", + "properties": { + "client_id": { + "description": "The RP's client identifier, issued by the IdP.", + "type": "string" + }, + "config_url": { + "description": "A full path of the IdP config file.", + "type": "string" + }, + "domain_hint": { + "description": "By specifying one of domain_hints values provided by the accounts endpoints,\nthe FedCM dialog selectively shows the specified account.", + "type": "string" + }, + "fields": { + "description": "Array of strings that specifies the user information (\"name\", \" email\",\n\"picture\") that RP needs IdP to share with them.\n\nNote: Field API is supported by Chrome 132 and later.", + "type": "array", + "items": { + "type": "string" + } + }, + "login_hint": { + "description": "By specifying one of login_hints values provided by the accounts endpoints,\nthe FedCM dialog selectively shows the specified account.", + "type": "string" + }, + "nonce": { + "description": "A random string to ensure the response is issued for this specific request.\nPrevents replay attacks.", + "type": "string" + }, + "parameters": { + "description": "Custom object that allows to specify additional key-value parameters:\nscope: A string value containing additional permissions that RP needs to\nrequest, for example \" drive.readonly calendar.readonly\"\nnonce: A random string to ensure the response is issued for this specific\nrequest. Prevents replay attacks.\n\nOther custom key-value parameters.\n\nNote: parameters is supported from Chrome 132.", + "type": "object", + "additionalProperties": { + "type": "string" + } + } + } + }, "RecoveryAddressType": { "type": "string", "title": "RecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema." }, + "SubmitFedcmTokenBody": { + "type": "object", + "properties": { + "token": { + "type": "string" + } + } + }, "UUID": {"type": "string", "format": "uuid4"}, "authenticatorAssuranceLevel": { "description": "The authenticator assurance level can be one of \"aal1\", \"aal2\", or \"aal3\". A higher number means that it is harder\nfor an attacker to compromise the account.\n\nGenerally, \"aal1\" implies that one authentication factor was used while AAL2 implies that two factors (e.g.\npassword + TOTP) have been used.\n\nTo learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials", @@ -4057,6 +4210,22 @@ } } }, + "getParametersResponse": { + "description": "Contains a list of all available FedCM providers.", + "type": "object", + "title": "GetParametersResponse", + "properties": { + "csrf_token": { + "type": "string" + }, + "providers": { + "type": "array", + "items": { + "$ref": "#/definitions/Provider" + } + } + } + }, "healthNotReadyStatus": { "type": "object", "title": "The not ready status of the service.", @@ -5866,30 +6035,30 @@ "description": "Update Login Flow with OpenID Connect Method", "type": "object", "required": [ - "provider", + "Provider", "method" ], "properties": { + "Provider": { + "description": "The Provider to register with", + "type": "string" + }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, - "provider": { - "description": "The provider to register with", - "type": "string" - }, "traits": { "description": "The identity traits. This is a placeholder for the registration flow.", "type": "object" @@ -5899,7 +6068,7 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } } @@ -6127,30 +6296,30 @@ "description": "Update Registration Flow with OpenID Connect Method", "type": "object", "required": [ - "provider", + "Provider", "method" ], "properties": { + "Provider": { + "description": "The Provider to register with", + "type": "string" + }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and is required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and is required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, - "provider": { - "description": "The provider to register with", - "type": "string" - }, "traits": { "description": "The identity traits", "type": "object" @@ -6160,7 +6329,7 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } } @@ -6348,7 +6517,7 @@ "type": "string" }, "link": { - "description": "Link this provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", + "description": "Link this Provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", "type": "string" }, "method": { @@ -6364,11 +6533,11 @@ "type": "object" }, "unlink": { - "description": "Unlink this provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", + "description": "Unlink this Provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", "type": "string" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } } diff --git a/x/router.go b/x/router.go index 6f4cb3609069..06c224c0a37f 100644 --- a/x/router.go +++ b/x/router.go @@ -105,3 +105,8 @@ func (r *RouterAdmin) Handler(method, publicPath string, handler http.Handler) { func (r *RouterAdmin) Lookup(method, publicPath string) { r.Router.Lookup(method, path.Join(AdminPrefix, publicPath)) } + +type HandlerRegistrar interface { + RegisterPublicRoutes(public *RouterPublic) + RegisterAdminRoutes(admin *RouterAdmin) +} From 11e6cd005c932ad3b34d03f88efa0624bd9a16d2 Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Fri, 24 Jan 2025 11:54:25 +0100 Subject: [PATCH 2/9] code review --- embedx/config.schema.json | 2 +- internal/client-go/.openapi-generator/FILES | 4 +- internal/client-go/README.md | 2 +- internal/client-go/api_frontend.go | 12 +- internal/client-go/go.sum | 2 - ...> model_get_fed_cm_parameters_response.go} | 54 ++++----- .../model_submit_fedcm_token_body.go | 112 ++++++++++++++++++ ...odel_update_login_flow_with_oidc_method.go | 68 +++++------ ...date_registration_flow_with_oidc_method.go | 68 +++++------ ...l_update_settings_flow_with_oidc_method.go | 6 +- internal/httpclient/.openapi-generator/FILES | 4 +- internal/httpclient/README.md | 2 +- internal/httpclient/api_frontend.go | 12 +- ...> model_get_fed_cm_parameters_response.go} | 54 ++++----- .../model_submit_fedcm_token_body.go | 112 ++++++++++++++++++ ...odel_update_login_flow_with_oidc_method.go | 68 +++++------ ...date_registration_flow_with_oidc_method.go | 68 +++++------ ...l_update_settings_flow_with_oidc_method.go | 6 +- .../strategy/oidc/fedcm/definitions.go | 4 +- selfservice/strategy/oidc/pkce.go | 6 +- selfservice/strategy/oidc/strategy.go | 4 +- spec/api.json | 57 +++++---- spec/swagger.json | 57 +++++---- 23 files changed, 516 insertions(+), 268 deletions(-) rename internal/client-go/{model_get_parameters_response.go => model_get_fed_cm_parameters_response.go} (59%) rename internal/httpclient/{model_get_parameters_response.go => model_get_fed_cm_parameters_response.go} (59%) diff --git a/embedx/config.schema.json b/embedx/config.schema.json index d9bb0173605e..ad4db74df0e9 100644 --- a/embedx/config.schema.json +++ b/embedx/config.schema.json @@ -582,7 +582,7 @@ }, "fedcm_config_url": { "title": "Federation Configuration URL", - "description": "The URL where the FedCM IdP configuration is located for the provider.", + "description": "The URL where the FedCM IdP configuration is located for the provider. This is only effective in the Ory Network.", "type": "string", "format": "uri", "examples": ["https://example.com/config.json"] diff --git a/internal/client-go/.openapi-generator/FILES b/internal/client-go/.openapi-generator/FILES index eef4b6b4dfe9..304b5b327fb8 100644 --- a/internal/client-go/.openapi-generator/FILES +++ b/internal/client-go/.openapi-generator/FILES @@ -35,7 +35,7 @@ docs/ErrorGeneric.md docs/FlowError.md docs/FrontendAPI.md docs/GenericError.md -docs/GetParametersResponse.md +docs/GetFedCmParametersResponse.md docs/GetVersion200Response.md docs/HealthNotReadyStatus.md docs/HealthStatus.md @@ -163,7 +163,7 @@ model_error_flow_replaced.go model_error_generic.go model_flow_error.go model_generic_error.go -model_get_parameters_response.go +model_get_fed_cm_parameters_response.go model_get_version_200_response.go model_health_not_ready_status.go model_health_status.go diff --git a/internal/client-go/README.md b/internal/client-go/README.md index 76576250b664..e9657b0432f8 100644 --- a/internal/client-go/README.md +++ b/internal/client-go/README.md @@ -162,7 +162,7 @@ Class | Method | HTTP request | Description - [ErrorGeneric](docs/ErrorGeneric.md) - [FlowError](docs/FlowError.md) - [GenericError](docs/GenericError.md) - - [GetParametersResponse](docs/GetParametersResponse.md) + - [GetFedCmParametersResponse](docs/GetFedCmParametersResponse.md) - [GetVersion200Response](docs/GetVersion200Response.md) - [HealthNotReadyStatus](docs/HealthNotReadyStatus.md) - [HealthStatus](docs/HealthStatus.md) diff --git a/internal/client-go/api_frontend.go b/internal/client-go/api_frontend.go index 2faad9a5bd32..97f0ca8b82c7 100644 --- a/internal/client-go/api_frontend.go +++ b/internal/client-go/api_frontend.go @@ -404,9 +404,9 @@ type FrontendAPI interface { /* * GetFedcmParametersExecute executes the request - * @return GetParametersResponse + * @return GetFedCmParametersResponse */ - GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) + GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetFedCmParametersResponse, *http.Response, error) /* * GetFlowError Get User-Flow Errors @@ -3140,7 +3140,7 @@ type FrontendAPIApiGetFedcmParametersRequest struct { ApiService FrontendAPI } -func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetParametersResponse, *http.Response, error) { +func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetFedCmParametersResponse, *http.Response, error) { return r.ApiService.GetFedcmParametersExecute(r) } @@ -3159,16 +3159,16 @@ func (a *FrontendAPIService) GetFedcmParameters(ctx context.Context) FrontendAPI /* * Execute executes the request - * @return GetParametersResponse + * @return GetFedCmParametersResponse */ -func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) { +func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetFedCmParametersResponse, *http.Response, error) { var ( localVarHTTPMethod = http.MethodGet localVarPostBody interface{} localVarFormFileName string localVarFileName string localVarFileBytes []byte - localVarReturnValue *GetParametersResponse + localVarReturnValue *GetFedCmParametersResponse ) localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.GetFedcmParameters") diff --git a/internal/client-go/go.sum b/internal/client-go/go.sum index 734252e68153..c966c8ddfd0d 100644 --- a/internal/client-go/go.sum +++ b/internal/client-go/go.sum @@ -4,8 +4,6 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/internal/client-go/model_get_parameters_response.go b/internal/client-go/model_get_fed_cm_parameters_response.go similarity index 59% rename from internal/client-go/model_get_parameters_response.go rename to internal/client-go/model_get_fed_cm_parameters_response.go index 17616c790407..1563b7e2cee2 100644 --- a/internal/client-go/model_get_parameters_response.go +++ b/internal/client-go/model_get_fed_cm_parameters_response.go @@ -15,31 +15,31 @@ import ( "encoding/json" ) -// GetParametersResponse Contains a list of all available FedCM providers. -type GetParametersResponse struct { +// GetFedCmParametersResponse Contains a list of all available FedCM providers. +type GetFedCmParametersResponse struct { CsrfToken *string `json:"csrf_token,omitempty"` Providers []Provider `json:"providers,omitempty"` } -// NewGetParametersResponse instantiates a new GetParametersResponse object +// NewGetFedCmParametersResponse instantiates a new GetFedCmParametersResponse object // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewGetParametersResponse() *GetParametersResponse { - this := GetParametersResponse{} +func NewGetFedCmParametersResponse() *GetFedCmParametersResponse { + this := GetFedCmParametersResponse{} return &this } -// NewGetParametersResponseWithDefaults instantiates a new GetParametersResponse object +// NewGetFedCmParametersResponseWithDefaults instantiates a new GetFedCmParametersResponse object // This constructor will only assign default values to properties that have it defined, // but it doesn't guarantee that properties required by API are set -func NewGetParametersResponseWithDefaults() *GetParametersResponse { - this := GetParametersResponse{} +func NewGetFedCmParametersResponseWithDefaults() *GetFedCmParametersResponse { + this := GetFedCmParametersResponse{} return &this } // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. -func (o *GetParametersResponse) GetCsrfToken() string { +func (o *GetFedCmParametersResponse) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { var ret string return ret @@ -49,7 +49,7 @@ func (o *GetParametersResponse) GetCsrfToken() string { // GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *GetParametersResponse) GetCsrfTokenOk() (*string, bool) { +func (o *GetFedCmParametersResponse) GetCsrfTokenOk() (*string, bool) { if o == nil || o.CsrfToken == nil { return nil, false } @@ -57,7 +57,7 @@ func (o *GetParametersResponse) GetCsrfTokenOk() (*string, bool) { } // HasCsrfToken returns a boolean if a field has been set. -func (o *GetParametersResponse) HasCsrfToken() bool { +func (o *GetFedCmParametersResponse) HasCsrfToken() bool { if o != nil && o.CsrfToken != nil { return true } @@ -66,12 +66,12 @@ func (o *GetParametersResponse) HasCsrfToken() bool { } // SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. -func (o *GetParametersResponse) SetCsrfToken(v string) { +func (o *GetFedCmParametersResponse) SetCsrfToken(v string) { o.CsrfToken = &v } // GetProviders returns the Providers field value if set, zero value otherwise. -func (o *GetParametersResponse) GetProviders() []Provider { +func (o *GetFedCmParametersResponse) GetProviders() []Provider { if o == nil || o.Providers == nil { var ret []Provider return ret @@ -81,7 +81,7 @@ func (o *GetParametersResponse) GetProviders() []Provider { // GetProvidersOk returns a tuple with the Providers field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *GetParametersResponse) GetProvidersOk() ([]Provider, bool) { +func (o *GetFedCmParametersResponse) GetProvidersOk() ([]Provider, bool) { if o == nil || o.Providers == nil { return nil, false } @@ -89,7 +89,7 @@ func (o *GetParametersResponse) GetProvidersOk() ([]Provider, bool) { } // HasProviders returns a boolean if a field has been set. -func (o *GetParametersResponse) HasProviders() bool { +func (o *GetFedCmParametersResponse) HasProviders() bool { if o != nil && o.Providers != nil { return true } @@ -98,11 +98,11 @@ func (o *GetParametersResponse) HasProviders() bool { } // SetProviders gets a reference to the given []Provider and assigns it to the Providers field. -func (o *GetParametersResponse) SetProviders(v []Provider) { +func (o *GetFedCmParametersResponse) SetProviders(v []Provider) { o.Providers = v } -func (o GetParametersResponse) MarshalJSON() ([]byte, error) { +func (o GetFedCmParametersResponse) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken @@ -113,38 +113,38 @@ func (o GetParametersResponse) MarshalJSON() ([]byte, error) { return json.Marshal(toSerialize) } -type NullableGetParametersResponse struct { - value *GetParametersResponse +type NullableGetFedCmParametersResponse struct { + value *GetFedCmParametersResponse isSet bool } -func (v NullableGetParametersResponse) Get() *GetParametersResponse { +func (v NullableGetFedCmParametersResponse) Get() *GetFedCmParametersResponse { return v.value } -func (v *NullableGetParametersResponse) Set(val *GetParametersResponse) { +func (v *NullableGetFedCmParametersResponse) Set(val *GetFedCmParametersResponse) { v.value = val v.isSet = true } -func (v NullableGetParametersResponse) IsSet() bool { +func (v NullableGetFedCmParametersResponse) IsSet() bool { return v.isSet } -func (v *NullableGetParametersResponse) Unset() { +func (v *NullableGetFedCmParametersResponse) Unset() { v.value = nil v.isSet = false } -func NewNullableGetParametersResponse(val *GetParametersResponse) *NullableGetParametersResponse { - return &NullableGetParametersResponse{value: val, isSet: true} +func NewNullableGetFedCmParametersResponse(val *GetFedCmParametersResponse) *NullableGetFedCmParametersResponse { + return &NullableGetFedCmParametersResponse{value: val, isSet: true} } -func (v NullableGetParametersResponse) MarshalJSON() ([]byte, error) { +func (v NullableGetFedCmParametersResponse) MarshalJSON() ([]byte, error) { return json.Marshal(v.value) } -func (v *NullableGetParametersResponse) UnmarshalJSON(src []byte) error { +func (v *NullableGetFedCmParametersResponse) UnmarshalJSON(src []byte) error { v.isSet = true return json.Unmarshal(src, &v.value) } diff --git a/internal/client-go/model_submit_fedcm_token_body.go b/internal/client-go/model_submit_fedcm_token_body.go index 8b2fbc54c70f..3c9c060b6d25 100644 --- a/internal/client-go/model_submit_fedcm_token_body.go +++ b/internal/client-go/model_submit_fedcm_token_body.go @@ -17,6 +17,13 @@ import ( // SubmitFedcmTokenBody struct for SubmitFedcmTokenBody type SubmitFedcmTokenBody struct { + // CSRFToken is the anti-CSRF token. + CsrfToken *string `json:"csrf_token,omitempty"` + // Nonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. + Nonce *string `json:"nonce,omitempty"` + // The provider to log in with. + Provider *string `json:"provider,omitempty"` + // Token contains the result of `navigator.credentials.get`. Token *string `json:"token,omitempty"` } @@ -37,6 +44,102 @@ func NewSubmitFedcmTokenBodyWithDefaults() *SubmitFedcmTokenBody { return &this } +// GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetCsrfToken() string { + if o == nil || o.CsrfToken == nil { + var ret string + return ret + } + return *o.CsrfToken +} + +// GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetCsrfTokenOk() (*string, bool) { + if o == nil || o.CsrfToken == nil { + return nil, false + } + return o.CsrfToken, true +} + +// HasCsrfToken returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasCsrfToken() bool { + if o != nil && o.CsrfToken != nil { + return true + } + + return false +} + +// SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. +func (o *SubmitFedcmTokenBody) SetCsrfToken(v string) { + o.CsrfToken = &v +} + +// GetNonce returns the Nonce field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetNonce() string { + if o == nil || o.Nonce == nil { + var ret string + return ret + } + return *o.Nonce +} + +// GetNonceOk returns a tuple with the Nonce field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetNonceOk() (*string, bool) { + if o == nil || o.Nonce == nil { + return nil, false + } + return o.Nonce, true +} + +// HasNonce returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasNonce() bool { + if o != nil && o.Nonce != nil { + return true + } + + return false +} + +// SetNonce gets a reference to the given string and assigns it to the Nonce field. +func (o *SubmitFedcmTokenBody) SetNonce(v string) { + o.Nonce = &v +} + +// GetProvider returns the Provider field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetProvider() string { + if o == nil || o.Provider == nil { + var ret string + return ret + } + return *o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetProviderOk() (*string, bool) { + if o == nil || o.Provider == nil { + return nil, false + } + return o.Provider, true +} + +// HasProvider returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasProvider() bool { + if o != nil && o.Provider != nil { + return true + } + + return false +} + +// SetProvider gets a reference to the given string and assigns it to the Provider field. +func (o *SubmitFedcmTokenBody) SetProvider(v string) { + o.Provider = &v +} + // GetToken returns the Token field value if set, zero value otherwise. func (o *SubmitFedcmTokenBody) GetToken() string { if o == nil || o.Token == nil { @@ -71,6 +174,15 @@ func (o *SubmitFedcmTokenBody) SetToken(v string) { func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} + if o.CsrfToken != nil { + toSerialize["csrf_token"] = o.CsrfToken + } + if o.Nonce != nil { + toSerialize["nonce"] = o.Nonce + } + if o.Provider != nil { + toSerialize["provider"] = o.Provider + } if o.Token != nil { toSerialize["token"] = o.Token } diff --git a/internal/client-go/model_update_login_flow_with_oidc_method.go b/internal/client-go/model_update_login_flow_with_oidc_method.go index c7ebbec5e248..cdd5c665bdc5 100644 --- a/internal/client-go/model_update_login_flow_with_oidc_method.go +++ b/internal/client-go/model_update_login_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateLoginFlowWithOidcMethod Update Login Flow with OpenID Connect Method type UpdateLoginFlowWithOidcMethod struct { - // The Provider to register with - Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` + // The provider to register with + Provider string `json:"provider"` // The identity traits. This is a placeholder for the registration flow. Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateLoginFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateLoginFlowWithOidcMethod(provider string, method string) *UpdateLoginFlowWithOidcMethod { +func NewUpdateLoginFlowWithOidcMethod(method string, provider string) *UpdateLoginFlowWithOidcMethod { this := UpdateLoginFlowWithOidcMethod{} - this.Provider = provider this.Method = method + this.Provider = provider return &this } @@ -54,30 +54,6 @@ func NewUpdateLoginFlowWithOidcMethodWithDefaults() *UpdateLoginFlowWithOidcMeth return &this } -// GetProvider returns the Provider field value -func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -198,6 +174,30 @@ func (o *UpdateLoginFlowWithOidcMethod) SetMethod(v string) { o.Method = v } +// GetProvider returns the Provider field value +func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,9 +296,6 @@ func (o *UpdateLoginFlowWithOidcMethod) SetUpstreamParameters(v map[string]inter func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} - if true { - toSerialize["Provider"] = o.Provider - } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -311,6 +308,9 @@ func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } + if true { + toSerialize["provider"] = o.Provider + } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/client-go/model_update_registration_flow_with_oidc_method.go b/internal/client-go/model_update_registration_flow_with_oidc_method.go index d96f8bb21777..2ee32605fee6 100644 --- a/internal/client-go/model_update_registration_flow_with_oidc_method.go +++ b/internal/client-go/model_update_registration_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateRegistrationFlowWithOidcMethod Update Registration Flow with OpenID Connect Method type UpdateRegistrationFlowWithOidcMethod struct { - // The Provider to register with - Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and is required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and is required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` + // The provider to register with + Provider string `json:"provider"` // The identity traits Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateRegistrationFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateRegistrationFlowWithOidcMethod(provider string, method string) *UpdateRegistrationFlowWithOidcMethod { +func NewUpdateRegistrationFlowWithOidcMethod(method string, provider string) *UpdateRegistrationFlowWithOidcMethod { this := UpdateRegistrationFlowWithOidcMethod{} - this.Provider = provider this.Method = method + this.Provider = provider return &this } @@ -54,30 +54,6 @@ func NewUpdateRegistrationFlowWithOidcMethodWithDefaults() *UpdateRegistrationFl return &this } -// GetProvider returns the Provider field value -func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -198,6 +174,30 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetMethod(v string) { o.Method = v } +// GetProvider returns the Provider field value +func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,9 +296,6 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetUpstreamParameters(v map[strin func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} - if true { - toSerialize["Provider"] = o.Provider - } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -311,6 +308,9 @@ func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } + if true { + toSerialize["provider"] = o.Provider + } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/client-go/model_update_settings_flow_with_oidc_method.go b/internal/client-go/model_update_settings_flow_with_oidc_method.go index 6a1650c5c317..c54a0d1251f3 100644 --- a/internal/client-go/model_update_settings_flow_with_oidc_method.go +++ b/internal/client-go/model_update_settings_flow_with_oidc_method.go @@ -19,7 +19,7 @@ import ( type UpdateSettingsFlowWithOidcMethod struct { // Flow ID is the flow's ID. in: query Flow *string `json:"flow,omitempty"` - // Link this Provider Either this or `unlink` must be set. type: string in: body + // Link this provider Either this or `unlink` must be set. type: string in: body Link *string `json:"link,omitempty"` // Method Should be set to profile when trying to update a profile. Method string `json:"method"` @@ -27,9 +27,9 @@ type UpdateSettingsFlowWithOidcMethod struct { Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // Unlink this Provider Either this or `link` must be set. type: string in: body + // Unlink this provider Either this or `link` must be set. type: string in: body Unlink *string `json:"unlink,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } diff --git a/internal/httpclient/.openapi-generator/FILES b/internal/httpclient/.openapi-generator/FILES index eef4b6b4dfe9..304b5b327fb8 100644 --- a/internal/httpclient/.openapi-generator/FILES +++ b/internal/httpclient/.openapi-generator/FILES @@ -35,7 +35,7 @@ docs/ErrorGeneric.md docs/FlowError.md docs/FrontendAPI.md docs/GenericError.md -docs/GetParametersResponse.md +docs/GetFedCmParametersResponse.md docs/GetVersion200Response.md docs/HealthNotReadyStatus.md docs/HealthStatus.md @@ -163,7 +163,7 @@ model_error_flow_replaced.go model_error_generic.go model_flow_error.go model_generic_error.go -model_get_parameters_response.go +model_get_fed_cm_parameters_response.go model_get_version_200_response.go model_health_not_ready_status.go model_health_status.go diff --git a/internal/httpclient/README.md b/internal/httpclient/README.md index 76576250b664..e9657b0432f8 100644 --- a/internal/httpclient/README.md +++ b/internal/httpclient/README.md @@ -162,7 +162,7 @@ Class | Method | HTTP request | Description - [ErrorGeneric](docs/ErrorGeneric.md) - [FlowError](docs/FlowError.md) - [GenericError](docs/GenericError.md) - - [GetParametersResponse](docs/GetParametersResponse.md) + - [GetFedCmParametersResponse](docs/GetFedCmParametersResponse.md) - [GetVersion200Response](docs/GetVersion200Response.md) - [HealthNotReadyStatus](docs/HealthNotReadyStatus.md) - [HealthStatus](docs/HealthStatus.md) diff --git a/internal/httpclient/api_frontend.go b/internal/httpclient/api_frontend.go index 2faad9a5bd32..97f0ca8b82c7 100644 --- a/internal/httpclient/api_frontend.go +++ b/internal/httpclient/api_frontend.go @@ -404,9 +404,9 @@ type FrontendAPI interface { /* * GetFedcmParametersExecute executes the request - * @return GetParametersResponse + * @return GetFedCmParametersResponse */ - GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) + GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetFedCmParametersResponse, *http.Response, error) /* * GetFlowError Get User-Flow Errors @@ -3140,7 +3140,7 @@ type FrontendAPIApiGetFedcmParametersRequest struct { ApiService FrontendAPI } -func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetParametersResponse, *http.Response, error) { +func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetFedCmParametersResponse, *http.Response, error) { return r.ApiService.GetFedcmParametersExecute(r) } @@ -3159,16 +3159,16 @@ func (a *FrontendAPIService) GetFedcmParameters(ctx context.Context) FrontendAPI /* * Execute executes the request - * @return GetParametersResponse + * @return GetFedCmParametersResponse */ -func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) { +func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetFedCmParametersResponse, *http.Response, error) { var ( localVarHTTPMethod = http.MethodGet localVarPostBody interface{} localVarFormFileName string localVarFileName string localVarFileBytes []byte - localVarReturnValue *GetParametersResponse + localVarReturnValue *GetFedCmParametersResponse ) localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.GetFedcmParameters") diff --git a/internal/httpclient/model_get_parameters_response.go b/internal/httpclient/model_get_fed_cm_parameters_response.go similarity index 59% rename from internal/httpclient/model_get_parameters_response.go rename to internal/httpclient/model_get_fed_cm_parameters_response.go index 17616c790407..1563b7e2cee2 100644 --- a/internal/httpclient/model_get_parameters_response.go +++ b/internal/httpclient/model_get_fed_cm_parameters_response.go @@ -15,31 +15,31 @@ import ( "encoding/json" ) -// GetParametersResponse Contains a list of all available FedCM providers. -type GetParametersResponse struct { +// GetFedCmParametersResponse Contains a list of all available FedCM providers. +type GetFedCmParametersResponse struct { CsrfToken *string `json:"csrf_token,omitempty"` Providers []Provider `json:"providers,omitempty"` } -// NewGetParametersResponse instantiates a new GetParametersResponse object +// NewGetFedCmParametersResponse instantiates a new GetFedCmParametersResponse object // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewGetParametersResponse() *GetParametersResponse { - this := GetParametersResponse{} +func NewGetFedCmParametersResponse() *GetFedCmParametersResponse { + this := GetFedCmParametersResponse{} return &this } -// NewGetParametersResponseWithDefaults instantiates a new GetParametersResponse object +// NewGetFedCmParametersResponseWithDefaults instantiates a new GetFedCmParametersResponse object // This constructor will only assign default values to properties that have it defined, // but it doesn't guarantee that properties required by API are set -func NewGetParametersResponseWithDefaults() *GetParametersResponse { - this := GetParametersResponse{} +func NewGetFedCmParametersResponseWithDefaults() *GetFedCmParametersResponse { + this := GetFedCmParametersResponse{} return &this } // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. -func (o *GetParametersResponse) GetCsrfToken() string { +func (o *GetFedCmParametersResponse) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { var ret string return ret @@ -49,7 +49,7 @@ func (o *GetParametersResponse) GetCsrfToken() string { // GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *GetParametersResponse) GetCsrfTokenOk() (*string, bool) { +func (o *GetFedCmParametersResponse) GetCsrfTokenOk() (*string, bool) { if o == nil || o.CsrfToken == nil { return nil, false } @@ -57,7 +57,7 @@ func (o *GetParametersResponse) GetCsrfTokenOk() (*string, bool) { } // HasCsrfToken returns a boolean if a field has been set. -func (o *GetParametersResponse) HasCsrfToken() bool { +func (o *GetFedCmParametersResponse) HasCsrfToken() bool { if o != nil && o.CsrfToken != nil { return true } @@ -66,12 +66,12 @@ func (o *GetParametersResponse) HasCsrfToken() bool { } // SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. -func (o *GetParametersResponse) SetCsrfToken(v string) { +func (o *GetFedCmParametersResponse) SetCsrfToken(v string) { o.CsrfToken = &v } // GetProviders returns the Providers field value if set, zero value otherwise. -func (o *GetParametersResponse) GetProviders() []Provider { +func (o *GetFedCmParametersResponse) GetProviders() []Provider { if o == nil || o.Providers == nil { var ret []Provider return ret @@ -81,7 +81,7 @@ func (o *GetParametersResponse) GetProviders() []Provider { // GetProvidersOk returns a tuple with the Providers field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *GetParametersResponse) GetProvidersOk() ([]Provider, bool) { +func (o *GetFedCmParametersResponse) GetProvidersOk() ([]Provider, bool) { if o == nil || o.Providers == nil { return nil, false } @@ -89,7 +89,7 @@ func (o *GetParametersResponse) GetProvidersOk() ([]Provider, bool) { } // HasProviders returns a boolean if a field has been set. -func (o *GetParametersResponse) HasProviders() bool { +func (o *GetFedCmParametersResponse) HasProviders() bool { if o != nil && o.Providers != nil { return true } @@ -98,11 +98,11 @@ func (o *GetParametersResponse) HasProviders() bool { } // SetProviders gets a reference to the given []Provider and assigns it to the Providers field. -func (o *GetParametersResponse) SetProviders(v []Provider) { +func (o *GetFedCmParametersResponse) SetProviders(v []Provider) { o.Providers = v } -func (o GetParametersResponse) MarshalJSON() ([]byte, error) { +func (o GetFedCmParametersResponse) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken @@ -113,38 +113,38 @@ func (o GetParametersResponse) MarshalJSON() ([]byte, error) { return json.Marshal(toSerialize) } -type NullableGetParametersResponse struct { - value *GetParametersResponse +type NullableGetFedCmParametersResponse struct { + value *GetFedCmParametersResponse isSet bool } -func (v NullableGetParametersResponse) Get() *GetParametersResponse { +func (v NullableGetFedCmParametersResponse) Get() *GetFedCmParametersResponse { return v.value } -func (v *NullableGetParametersResponse) Set(val *GetParametersResponse) { +func (v *NullableGetFedCmParametersResponse) Set(val *GetFedCmParametersResponse) { v.value = val v.isSet = true } -func (v NullableGetParametersResponse) IsSet() bool { +func (v NullableGetFedCmParametersResponse) IsSet() bool { return v.isSet } -func (v *NullableGetParametersResponse) Unset() { +func (v *NullableGetFedCmParametersResponse) Unset() { v.value = nil v.isSet = false } -func NewNullableGetParametersResponse(val *GetParametersResponse) *NullableGetParametersResponse { - return &NullableGetParametersResponse{value: val, isSet: true} +func NewNullableGetFedCmParametersResponse(val *GetFedCmParametersResponse) *NullableGetFedCmParametersResponse { + return &NullableGetFedCmParametersResponse{value: val, isSet: true} } -func (v NullableGetParametersResponse) MarshalJSON() ([]byte, error) { +func (v NullableGetFedCmParametersResponse) MarshalJSON() ([]byte, error) { return json.Marshal(v.value) } -func (v *NullableGetParametersResponse) UnmarshalJSON(src []byte) error { +func (v *NullableGetFedCmParametersResponse) UnmarshalJSON(src []byte) error { v.isSet = true return json.Unmarshal(src, &v.value) } diff --git a/internal/httpclient/model_submit_fedcm_token_body.go b/internal/httpclient/model_submit_fedcm_token_body.go index 8b2fbc54c70f..3c9c060b6d25 100644 --- a/internal/httpclient/model_submit_fedcm_token_body.go +++ b/internal/httpclient/model_submit_fedcm_token_body.go @@ -17,6 +17,13 @@ import ( // SubmitFedcmTokenBody struct for SubmitFedcmTokenBody type SubmitFedcmTokenBody struct { + // CSRFToken is the anti-CSRF token. + CsrfToken *string `json:"csrf_token,omitempty"` + // Nonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. + Nonce *string `json:"nonce,omitempty"` + // The provider to log in with. + Provider *string `json:"provider,omitempty"` + // Token contains the result of `navigator.credentials.get`. Token *string `json:"token,omitempty"` } @@ -37,6 +44,102 @@ func NewSubmitFedcmTokenBodyWithDefaults() *SubmitFedcmTokenBody { return &this } +// GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetCsrfToken() string { + if o == nil || o.CsrfToken == nil { + var ret string + return ret + } + return *o.CsrfToken +} + +// GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetCsrfTokenOk() (*string, bool) { + if o == nil || o.CsrfToken == nil { + return nil, false + } + return o.CsrfToken, true +} + +// HasCsrfToken returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasCsrfToken() bool { + if o != nil && o.CsrfToken != nil { + return true + } + + return false +} + +// SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. +func (o *SubmitFedcmTokenBody) SetCsrfToken(v string) { + o.CsrfToken = &v +} + +// GetNonce returns the Nonce field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetNonce() string { + if o == nil || o.Nonce == nil { + var ret string + return ret + } + return *o.Nonce +} + +// GetNonceOk returns a tuple with the Nonce field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetNonceOk() (*string, bool) { + if o == nil || o.Nonce == nil { + return nil, false + } + return o.Nonce, true +} + +// HasNonce returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasNonce() bool { + if o != nil && o.Nonce != nil { + return true + } + + return false +} + +// SetNonce gets a reference to the given string and assigns it to the Nonce field. +func (o *SubmitFedcmTokenBody) SetNonce(v string) { + o.Nonce = &v +} + +// GetProvider returns the Provider field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetProvider() string { + if o == nil || o.Provider == nil { + var ret string + return ret + } + return *o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetProviderOk() (*string, bool) { + if o == nil || o.Provider == nil { + return nil, false + } + return o.Provider, true +} + +// HasProvider returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasProvider() bool { + if o != nil && o.Provider != nil { + return true + } + + return false +} + +// SetProvider gets a reference to the given string and assigns it to the Provider field. +func (o *SubmitFedcmTokenBody) SetProvider(v string) { + o.Provider = &v +} + // GetToken returns the Token field value if set, zero value otherwise. func (o *SubmitFedcmTokenBody) GetToken() string { if o == nil || o.Token == nil { @@ -71,6 +174,15 @@ func (o *SubmitFedcmTokenBody) SetToken(v string) { func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} + if o.CsrfToken != nil { + toSerialize["csrf_token"] = o.CsrfToken + } + if o.Nonce != nil { + toSerialize["nonce"] = o.Nonce + } + if o.Provider != nil { + toSerialize["provider"] = o.Provider + } if o.Token != nil { toSerialize["token"] = o.Token } diff --git a/internal/httpclient/model_update_login_flow_with_oidc_method.go b/internal/httpclient/model_update_login_flow_with_oidc_method.go index c7ebbec5e248..cdd5c665bdc5 100644 --- a/internal/httpclient/model_update_login_flow_with_oidc_method.go +++ b/internal/httpclient/model_update_login_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateLoginFlowWithOidcMethod Update Login Flow with OpenID Connect Method type UpdateLoginFlowWithOidcMethod struct { - // The Provider to register with - Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` + // The provider to register with + Provider string `json:"provider"` // The identity traits. This is a placeholder for the registration flow. Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateLoginFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateLoginFlowWithOidcMethod(provider string, method string) *UpdateLoginFlowWithOidcMethod { +func NewUpdateLoginFlowWithOidcMethod(method string, provider string) *UpdateLoginFlowWithOidcMethod { this := UpdateLoginFlowWithOidcMethod{} - this.Provider = provider this.Method = method + this.Provider = provider return &this } @@ -54,30 +54,6 @@ func NewUpdateLoginFlowWithOidcMethodWithDefaults() *UpdateLoginFlowWithOidcMeth return &this } -// GetProvider returns the Provider field value -func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -198,6 +174,30 @@ func (o *UpdateLoginFlowWithOidcMethod) SetMethod(v string) { o.Method = v } +// GetProvider returns the Provider field value +func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,9 +296,6 @@ func (o *UpdateLoginFlowWithOidcMethod) SetUpstreamParameters(v map[string]inter func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} - if true { - toSerialize["Provider"] = o.Provider - } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -311,6 +308,9 @@ func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } + if true { + toSerialize["provider"] = o.Provider + } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/httpclient/model_update_registration_flow_with_oidc_method.go b/internal/httpclient/model_update_registration_flow_with_oidc_method.go index d96f8bb21777..2ee32605fee6 100644 --- a/internal/httpclient/model_update_registration_flow_with_oidc_method.go +++ b/internal/httpclient/model_update_registration_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateRegistrationFlowWithOidcMethod Update Registration Flow with OpenID Connect Method type UpdateRegistrationFlowWithOidcMethod struct { - // The Provider to register with - Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and is required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and is required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` + // The provider to register with + Provider string `json:"provider"` // The identity traits Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateRegistrationFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateRegistrationFlowWithOidcMethod(provider string, method string) *UpdateRegistrationFlowWithOidcMethod { +func NewUpdateRegistrationFlowWithOidcMethod(method string, provider string) *UpdateRegistrationFlowWithOidcMethod { this := UpdateRegistrationFlowWithOidcMethod{} - this.Provider = provider this.Method = method + this.Provider = provider return &this } @@ -54,30 +54,6 @@ func NewUpdateRegistrationFlowWithOidcMethodWithDefaults() *UpdateRegistrationFl return &this } -// GetProvider returns the Provider field value -func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -198,6 +174,30 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetMethod(v string) { o.Method = v } +// GetProvider returns the Provider field value +func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,9 +296,6 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetUpstreamParameters(v map[strin func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} - if true { - toSerialize["Provider"] = o.Provider - } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -311,6 +308,9 @@ func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } + if true { + toSerialize["provider"] = o.Provider + } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/httpclient/model_update_settings_flow_with_oidc_method.go b/internal/httpclient/model_update_settings_flow_with_oidc_method.go index 6a1650c5c317..c54a0d1251f3 100644 --- a/internal/httpclient/model_update_settings_flow_with_oidc_method.go +++ b/internal/httpclient/model_update_settings_flow_with_oidc_method.go @@ -19,7 +19,7 @@ import ( type UpdateSettingsFlowWithOidcMethod struct { // Flow ID is the flow's ID. in: query Flow *string `json:"flow,omitempty"` - // Link this Provider Either this or `unlink` must be set. type: string in: body + // Link this provider Either this or `unlink` must be set. type: string in: body Link *string `json:"link,omitempty"` // Method Should be set to profile when trying to update a profile. Method string `json:"method"` @@ -27,9 +27,9 @@ type UpdateSettingsFlowWithOidcMethod struct { Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // Unlink this Provider Either this or `link` must be set. type: string in: body + // Unlink this provider Either this or `link` must be set. type: string in: body Unlink *string `json:"unlink,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } diff --git a/selfservice/strategy/oidc/fedcm/definitions.go b/selfservice/strategy/oidc/fedcm/definitions.go index aa6a90ebe6e7..a21c14a7b0eb 100644 --- a/selfservice/strategy/oidc/fedcm/definitions.go +++ b/selfservice/strategy/oidc/fedcm/definitions.go @@ -44,7 +44,7 @@ type Provider struct { // // Contains a list of all available FedCM providers. // -// swagger:model getParametersResponse +// swagger:model getFedCmParametersResponse type GetParametersResponse struct { Providers []Provider `json:"providers"` CSRFToken string `json:"csrf_token"` @@ -65,7 +65,7 @@ type GetParametersResponse struct { // Schemes: http, https // // Responses: -// 200: getParametersResponse +// 200: getFedCmParametersResponse // 400: errorGeneric // default: errorGeneric diff --git a/selfservice/strategy/oidc/pkce.go b/selfservice/strategy/oidc/pkce.go index c14e3d3f01e2..2b397c8702b7 100644 --- a/selfservice/strategy/oidc/pkce.go +++ b/selfservice/strategy/oidc/pkce.go @@ -48,7 +48,7 @@ func maybePKCE(ctx context.Context, d pkceDependencies, _p Provider) (verifier s // autodiscover PKCE support pkceSupported, err := discoverPKCE(ctx, d, p) if err != nil { - d.Logger().WithError(err).Warnf("Failed to autodiscover PKCE support for Provider %q. Continuing without PKCE.", p.Config().ID) + d.Logger().WithError(err).Warnf("Failed to autodiscover PKCE support for provider %q. Continuing without PKCE.", p.Config().ID) return "" } if !pkceSupported { @@ -67,13 +67,13 @@ func discoverPKCE(ctx context.Context, d pkceDependencies, p OAuth2Provider) (pk ctx = gooidc.ClientContext(ctx, d.HTTPClient(ctx).HTTPClient) gp, err := gooidc.NewProvider(ctx, p.Config().IssuerURL) if err != nil { - return false, errors.Wrap(err, "failed to initialize Provider") + return false, errors.Wrap(err, "failed to initialize provider") } var claims struct { CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` } if err := gp.Claims(&claims); err != nil { - return false, errors.Wrap(err, "failed to deserialize Provider claims") + return false, errors.Wrap(err, "failed to deserialize provider claims") } return slices.Contains(claims.CodeChallengeMethodsSupported, "S256"), nil } diff --git a/selfservice/strategy/oidc/strategy.go b/selfservice/strategy/oidc/strategy.go index cc7900b2d1b2..f63c8e5ded81 100644 --- a/selfservice/strategy/oidc/strategy.go +++ b/selfservice/strategy/oidc/strategy.go @@ -761,14 +761,14 @@ func (s *Strategy) ProcessIDToken(r *http.Request, provider Provider, idToken, i // If it doesn't, check if the provider supports nonces. if nonceSkipper, ok := verifier.(NonceValidationSkipper); !ok || !nonceSkipper.CanSkipNonce(claims) { // If the provider supports nonces, abort the flow! - return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was included in the id_token but is required by the Provider")) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was included in the id_token but is required by the provider")) } // If the provider does not support nonces, we don't do validation and return the claim. // This case only applies to Apple, as some of their devices do not support nonces. // https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple } else if idTokenNonce == "" { // A nonce was present in the JWT token, but no nonce was submitted in the flow - return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was provided but is required by the Provider")) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was provided but is required by the provider")) } else if idTokenNonce != claims.Nonce { // The nonce from the JWT token does not match the nonce from the flow. return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The supplied nonce does not match the nonce from the id_token")) diff --git a/spec/api.json b/spec/api.json index 299ca2331d2e..ef93c8cbc433 100644 --- a/spec/api.json +++ b/spec/api.json @@ -458,7 +458,20 @@ }, "SubmitFedcmTokenBody": { "properties": { + "csrf_token": { + "description": "CSRFToken is the anti-CSRF token.", + "type": "string" + }, + "nonce": { + "description": "Nonce is the nonce, used when generating the IDToken. If the provider supports\nnonce validation, the nonce will be validated against this value and required.", + "type": "string" + }, + "provider": { + "description": "The provider to log in with.", + "type": "string" + }, "token": { + "description": "Token contains the result of `navigator.credentials.get`.", "type": "string" } }, @@ -952,7 +965,7 @@ ], "type": "object" }, - "getParametersResponse": { + "getFedCmParametersResponse": { "description": "Contains a list of all available FedCM providers.", "properties": { "csrf_token": { @@ -2882,26 +2895,26 @@ "updateLoginFlowWithOidcMethod": { "description": "Update Login Flow with OpenID Connect Method", "properties": { - "Provider": { - "description": "The Provider to register with", - "type": "string" - }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, + "provider": { + "description": "The provider to register with", + "type": "string" + }, "traits": { "description": "The identity traits. This is a placeholder for the registration flow.", "type": "object" @@ -2911,12 +2924,12 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }, "required": [ - "Provider", + "provider", "method" ], "type": "object" @@ -3187,26 +3200,26 @@ "updateRegistrationFlowWithOidcMethod": { "description": "Update Registration Flow with OpenID Connect Method", "properties": { - "Provider": { - "description": "The Provider to register with", - "type": "string" - }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and is required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and is required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, + "provider": { + "description": "The provider to register with", + "type": "string" + }, "traits": { "description": "The identity traits", "type": "object" @@ -3216,12 +3229,12 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }, "required": [ - "Provider", + "provider", "method" ], "type": "object" @@ -3439,7 +3452,7 @@ "type": "string" }, "link": { - "description": "Link this Provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", + "description": "Link this provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", "type": "string" }, "method": { @@ -3455,11 +3468,11 @@ "type": "object" }, "unlink": { - "description": "Unlink this Provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", + "description": "Unlink this provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", "type": "string" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }, @@ -5557,11 +5570,11 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/getParametersResponse" + "$ref": "#/components/schemas/getFedCmParametersResponse" } } }, - "description": "getParametersResponse" + "description": "getFedCmParametersResponse" }, "400": { "content": { diff --git a/spec/swagger.json b/spec/swagger.json index e0e2374259c6..5c0127a574ed 100755 --- a/spec/swagger.json +++ b/spec/swagger.json @@ -1497,9 +1497,9 @@ "operationId": "getFedcmParameters", "responses": { "200": { - "description": "getParametersResponse", + "description": "getFedCmParametersResponse", "schema": { - "$ref": "#/definitions/getParametersResponse" + "$ref": "#/definitions/getFedCmParametersResponse" } }, "400": { @@ -3762,7 +3762,20 @@ "SubmitFedcmTokenBody": { "type": "object", "properties": { + "csrf_token": { + "description": "CSRFToken is the anti-CSRF token.", + "type": "string" + }, + "nonce": { + "description": "Nonce is the nonce, used when generating the IDToken. If the provider supports\nnonce validation, the nonce will be validated against this value and required.", + "type": "string" + }, + "provider": { + "description": "The provider to log in with.", + "type": "string" + }, "token": { + "description": "Token contains the result of `navigator.credentials.get`.", "type": "string" } } @@ -4210,7 +4223,7 @@ } } }, - "getParametersResponse": { + "getFedCmParametersResponse": { "description": "Contains a list of all available FedCM providers.", "type": "object", "title": "GetParametersResponse", @@ -6035,30 +6048,30 @@ "description": "Update Login Flow with OpenID Connect Method", "type": "object", "required": [ - "Provider", + "provider", "method" ], "properties": { - "Provider": { - "description": "The Provider to register with", - "type": "string" - }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, + "provider": { + "description": "The provider to register with", + "type": "string" + }, "traits": { "description": "The identity traits. This is a placeholder for the registration flow.", "type": "object" @@ -6068,7 +6081,7 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } } @@ -6296,30 +6309,30 @@ "description": "Update Registration Flow with OpenID Connect Method", "type": "object", "required": [ - "Provider", + "provider", "method" ], "properties": { - "Provider": { - "description": "The Provider to register with", - "type": "string" - }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and is required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and is required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, + "provider": { + "description": "The provider to register with", + "type": "string" + }, "traits": { "description": "The identity traits", "type": "object" @@ -6329,7 +6342,7 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } } @@ -6517,7 +6530,7 @@ "type": "string" }, "link": { - "description": "Link this Provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", + "description": "Link this provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", "type": "string" }, "method": { @@ -6533,11 +6546,11 @@ "type": "object" }, "unlink": { - "description": "Unlink this Provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", + "description": "Unlink this provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", "type": "string" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } } From 017cc55b47f42f9317ad280dc21537d1a1bebeb7 Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Tue, 28 Jan 2025 13:46:01 +0100 Subject: [PATCH 3/9] add netid token claim support --- embedx/config.schema.json | 6 +++ .../strategy/oidc/fedcm/definitions.go | 3 ++ selfservice/strategy/oidc/provider_config.go | 4 ++ selfservice/strategy/oidc/provider_netid.go | 38 ++++++++++++++++--- .../strategy/oidc/provider_netid_test.go | 29 ++++++++++++++ 5 files changed, 74 insertions(+), 6 deletions(-) create mode 100644 selfservice/strategy/oidc/provider_netid_test.go diff --git a/embedx/config.schema.json b/embedx/config.schema.json index ad4db74df0e9..049de330a512 100644 --- a/embedx/config.schema.json +++ b/embedx/config.schema.json @@ -586,6 +586,12 @@ "type": "string", "format": "uri", "examples": ["https://example.com/config.json"] + }, + "net_id_token_origin_header": { + "title": "NetID Token Origin Header", + "description": "Contains the orgin header to be used when exchanging a NetID FedCM token for an ID token", + "type": "string", + "examples": ["https://example.com"] } }, "additionalProperties": false, diff --git a/selfservice/strategy/oidc/fedcm/definitions.go b/selfservice/strategy/oidc/fedcm/definitions.go index a21c14a7b0eb..f72a6e676d9e 100644 --- a/selfservice/strategy/oidc/fedcm/definitions.go +++ b/selfservice/strategy/oidc/fedcm/definitions.go @@ -85,6 +85,9 @@ type SubmitFedcmTokenBody struct { } // swagger:parameters submitFedcmToken +// +//nolint:deadcode,unused +//lint:ignore U1000 Used to generate Swagger and OpenAPI definitions type submitFedcmToken struct { // in: body // required: true diff --git a/selfservice/strategy/oidc/provider_config.go b/selfservice/strategy/oidc/provider_config.go index e27dd6db25fc..c9de47e3d799 100644 --- a/selfservice/strategy/oidc/provider_config.go +++ b/selfservice/strategy/oidc/provider_config.go @@ -132,6 +132,10 @@ type Configuration struct { // FedCMConfigURL is the URL to the FedCM IdP configuration file. // This is only effective in the Ory Network. FedCMConfigURL string `json:"fedcm_config_url"` + + // NetIDTokenOriginHeader contains the orgin header to be used when exchanging a + // NetID FedCM token for an ID token. + NetIDTokenOriginHeader string `json:"net_id_token_origin_header"` } func (p Configuration) Redir(public *url.URL) string { diff --git a/selfservice/strategy/oidc/provider_netid.go b/selfservice/strategy/oidc/provider_netid.go index 93e3f3532cea..5bbab1931e92 100644 --- a/selfservice/strategy/oidc/provider_netid.go +++ b/selfservice/strategy/oidc/provider_netid.go @@ -4,12 +4,14 @@ package oidc import ( + "bytes" "context" "encoding/json" "fmt" + "io" "net/url" "slices" - "testing" + "strings" "github.com/coreos/go-oidc/v3/oidc" "github.com/hashicorp/go-retryablehttp" @@ -123,13 +125,37 @@ func (n *ProviderNetID) Verify(ctx context.Context, rawIDToken string) (*Claims, return nil, err } + req, err := retryablehttp.NewRequestWithContext(ctx, "POST", urlx.AppendPaths(n.brokerURL(), "/token").String(), strings.NewReader(url.Values{ + "grant_type": {"netid_fedcm"}, + "fedcm_token": {rawIDToken}, + }.Encode())) + if err != nil { + return nil, err + } + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Origin", n.config.NetIDTokenOriginHeader) + res, err := n.reg.HTTPClient(ctx).Do(req) + if err != nil { + return nil, err + } + + token := struct { + IDToken string `json:"id_token"` + }{} + + body, err := io.ReadAll(res.Body) + if err != nil { + return nil, err + } + + if err := json.NewDecoder(bytes.NewBuffer(body)).Decode(&token); err != nil { + return nil, err + } + idToken, err := provider.VerifierContext( n.withHTTPClientContext(ctx), - &oidc.Config{ - ClientID: n.config.ClientID, - InsecureSkipSignatureCheck: testing.Testing(), - }, - ).Verify(ctx, rawIDToken) + &oidc.Config{ClientID: n.config.ClientID}, + ).Verify(ctx, token.IDToken) if err != nil { return nil, err } diff --git a/selfservice/strategy/oidc/provider_netid_test.go b/selfservice/strategy/oidc/provider_netid_test.go new file mode 100644 index 000000000000..759bc663acbe --- /dev/null +++ b/selfservice/strategy/oidc/provider_netid_test.go @@ -0,0 +1,29 @@ +// Copyright © 2023 Ory Corp +// SPDX-License-Identifier: Apache-2.0 + +package oidc_test + +import ( + "context" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/ory/kratos/internal" + "github.com/ory/kratos/selfservice/strategy/oidc" +) + +func TestNetidProvider(t *testing.T) { + t.Skip("can't test this automatically, because the token is only valid for a short time") + _, reg := internal.NewVeryFastRegistryWithoutDB(t) + + p := oidc.NewProviderNetID(&oidc.Configuration{ + ClientID: "9b56b26a-e93d-4fce-8f16-951a9858f23e", + }, reg) + + rawToken := `...` + + claims, err := p.(oidc.IDTokenVerifier).Verify(context.Background(), rawToken) + require.NoError(t, err) + require.NotNil(t, claims) +} From c2d008e0df121f9bac594e902a5f1bb44e160cee Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Thu, 30 Jan 2025 15:30:12 +0100 Subject: [PATCH 4/9] fix tests --- internal/client-go/go.sum | 1 + selfservice/strategy/oidc/strategy.go | 12 ++++++------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/internal/client-go/go.sum b/internal/client-go/go.sum index c966c8ddfd0d..6cc3f5911d11 100644 --- a/internal/client-go/go.sum +++ b/internal/client-go/go.sum @@ -4,6 +4,7 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/selfservice/strategy/oidc/strategy.go b/selfservice/strategy/oidc/strategy.go index f63c8e5ded81..bb0728c652d8 100644 --- a/selfservice/strategy/oidc/strategy.go +++ b/selfservice/strategy/oidc/strategy.go @@ -745,15 +745,15 @@ func (s *Strategy) CompletedAuthenticationMethod(ctx context.Context) session.Au func (s *Strategy) ProcessIDToken(r *http.Request, provider Provider, idToken, idTokenNonce string) (*Claims, error) { verifier, ok := provider.(IDTokenVerifier) if !ok { - return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The Provider %s does not support id_token verification", provider.Config().Provider)) + return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The provider %s does not support id_token verification", provider.Config().Provider)) } claims, err := verifier.Verify(r.Context(), idToken) if err != nil { - return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("Could not verify id_token").WithError(err.Error())) + return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Could not verify id_token").WithError(err.Error())) } if err := claims.Validate(); err != nil { - return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The id_token claims were invalid").WithError(err.Error())) + return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The id_token claims were invalid").WithError(err.Error())) } // First check if the JWT contains the nonce claim. @@ -761,17 +761,17 @@ func (s *Strategy) ProcessIDToken(r *http.Request, provider Provider, idToken, i // If it doesn't, check if the provider supports nonces. if nonceSkipper, ok := verifier.(NonceValidationSkipper); !ok || !nonceSkipper.CanSkipNonce(claims) { // If the provider supports nonces, abort the flow! - return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was included in the id_token but is required by the provider")) + return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was included in the id_token but is required by the provider")) } // If the provider does not support nonces, we don't do validation and return the claim. // This case only applies to Apple, as some of their devices do not support nonces. // https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple } else if idTokenNonce == "" { // A nonce was present in the JWT token, but no nonce was submitted in the flow - return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was provided but is required by the provider")) + return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was provided but is required by the provider")) } else if idTokenNonce != claims.Nonce { // The nonce from the JWT token does not match the nonce from the flow. - return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The supplied nonce does not match the nonce from the id_token")) + return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The supplied nonce does not match the nonce from the id_token")) } // Nonce checking was successful From 7a4266d9033b14e1763602c37956016f9e08ee9b Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Fri, 31 Jan 2025 08:40:18 +0100 Subject: [PATCH 5/9] revert some renames --- selfservice/strategy/oidc/strategy.go | 42 +++++++++++++-------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/selfservice/strategy/oidc/strategy.go b/selfservice/strategy/oidc/strategy.go index bb0728c652d8..d22e6fe000c0 100644 --- a/selfservice/strategy/oidc/strategy.go +++ b/selfservice/strategy/oidc/strategy.go @@ -402,7 +402,7 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt req, state, cntnr, err := s.ValidateCallback(w, r, ps) if err != nil { if req != nil { - s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.forwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) } else { s.d.SelfServiceErrorManager().Forward(ctx, w, r, s.HandleError(ctx, w, r, nil, "", nil, err)) } @@ -410,14 +410,14 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt } if authenticated, err := s.alreadyAuthenticated(ctx, w, r, req); err != nil { - s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.forwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) } else if authenticated { return } provider, err := s.Provider(ctx, state.ProviderId) if err != nil { - s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.forwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } @@ -427,37 +427,37 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt case OAuth2Provider: token, err := s.exchangeCode(ctx, p, code, PKCEVerifier(state)) if err != nil { - s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.forwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } et, err = s.encryptOAuth2Tokens(ctx, token) if err != nil { - s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.forwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } claims, err = p.Claims(ctx, token, r.URL.Query()) if err != nil { - s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.forwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } case OAuth1Provider: token, err := p.ExchangeToken(ctx, r) if err != nil { - s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.forwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } claims, err = p.Claims(ctx, token) if err != nil { - s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.forwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } } if err = claims.Validate(); err != nil { - s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.forwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } @@ -472,10 +472,10 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt return } if ff != nil { - s.ForwardError(ctx, w, r, ff, err) + s.forwardError(ctx, w, r, ff, err) return } - s.ForwardError(ctx, w, r, a, err) + s.forwardError(ctx, w, r, a, err) } return case *registration.Flow: @@ -483,10 +483,10 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt a.TransientPayload = cntnr.TransientPayload if ff, err := s.processRegistration(ctx, w, r, a, et, claims, provider, cntnr); err != nil { if ff != nil { - s.ForwardError(ctx, w, r, ff, err) + s.forwardError(ctx, w, r, ff, err) return } - s.ForwardError(ctx, w, r, a, err) + s.forwardError(ctx, w, r, a, err) } return case *settings.Flow: @@ -494,16 +494,16 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt a.TransientPayload = cntnr.TransientPayload sess, err := s.d.SessionManager().FetchFromRequest(ctx, r) if err != nil { - s.ForwardError(ctx, w, r, a, s.HandleError(ctx, w, r, a, state.ProviderId, nil, err)) + s.forwardError(ctx, w, r, a, s.HandleError(ctx, w, r, a, state.ProviderId, nil, err)) return } if err := s.linkProvider(ctx, w, r, &settings.UpdateContext{Session: sess, Flow: a}, et, claims, provider); err != nil { - s.ForwardError(ctx, w, r, a, s.HandleError(ctx, w, r, a, state.ProviderId, nil, err)) + s.forwardError(ctx, w, r, a, s.HandleError(ctx, w, r, a, state.ProviderId, nil, err)) return } return default: - s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, errors.WithStack(x.PseudoPanic. + s.forwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, errors.WithStack(x.PseudoPanic. WithDetailf("cause", "Unexpected type in OpenID Connect flow: %T", a)))) return } @@ -565,7 +565,7 @@ func (s *Strategy) Provider(ctx context.Context, id string) (Provider, error) { } } -func (s *Strategy) ForwardError(ctx context.Context, w http.ResponseWriter, r *http.Request, f flow.Flow, err error) { +func (s *Strategy) forwardError(ctx context.Context, w http.ResponseWriter, r *http.Request, f flow.Flow, err error) { switch ff := f.(type) { case *login.Flow: s.d.LoginFlowErrorHandler().WriteFlowError(w, r, ff, s.NodeGroup(), err) @@ -680,13 +680,13 @@ func (s *Strategy) populateAccountLinkingUI(ctx context.Context, lf *login.Flow, continue } - // Skip the Provider that was used to get here (in case they used an OIDC Provider) + // Skip the provider that was used to get here (in case they used an OIDC provider) pID := gjson.GetBytes(n.Meta.Label.Context, "provider_id").String() if n.Group == node.OpenIDConnectGroup { if pID == usedProviderID { continue } - // Hide any Provider that is not available for the user + // Hide any provider that is not available for the user if loginHintsEnabled && !slices.Contains(availableProviders, pID) { continue } @@ -697,7 +697,7 @@ func (s *Strategy) populateAccountLinkingUI(ctx context.Context, lf *login.Flow, case text.InfoSelfServiceLogin: n.Meta.Label = text.NewInfoLoginAndLink() case text.InfoSelfServiceLoginWith: - p := gjson.GetBytes(n.Meta.Label.Context, "Provider").String() + p := gjson.GetBytes(n.Meta.Label.Context, "provider").String() n.Meta.Label = text.NewInfoLoginWithAndLink(p) } @@ -780,7 +780,7 @@ func (s *Strategy) ProcessIDToken(r *http.Request, provider Provider, idToken, i func (s *Strategy) linkCredentials(ctx context.Context, i *identity.Identity, tokens *identity.CredentialsOIDCEncryptedTokens, provider, subject, organization string) (err error) { ctx, span := s.d.Tracer(ctx).Tracer().Start(ctx, "strategy.oidc.linkCredentials", trace.WithAttributes( - attribute.String("Provider", provider), + attribute.String("provider", provider), // attribute.String("subject", subject), // PII attribute.String("organization", organization))) defer otelx.End(span, &err) From 210d6dc0355126a1029b5b3f1cb2c76ceda253d5 Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Fri, 31 Jan 2025 10:48:55 +0100 Subject: [PATCH 6/9] update SDK --- internal/client-go/go.sum | 1 - .../model_submit_fedcm_token_body.go | 103 +++++------------- .../model_submit_fedcm_token_body.go | 103 +++++------------- .../strategy/oidc/fedcm/definitions.go | 13 ++- spec/api.json | 10 +- spec/swagger.json | 10 +- 6 files changed, 70 insertions(+), 170 deletions(-) diff --git a/internal/client-go/go.sum b/internal/client-go/go.sum index 6cc3f5911d11..c966c8ddfd0d 100644 --- a/internal/client-go/go.sum +++ b/internal/client-go/go.sum @@ -4,7 +4,6 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/internal/client-go/model_submit_fedcm_token_body.go b/internal/client-go/model_submit_fedcm_token_body.go index 3c9c060b6d25..a8032c3a8cce 100644 --- a/internal/client-go/model_submit_fedcm_token_body.go +++ b/internal/client-go/model_submit_fedcm_token_body.go @@ -18,21 +18,21 @@ import ( // SubmitFedcmTokenBody struct for SubmitFedcmTokenBody type SubmitFedcmTokenBody struct { // CSRFToken is the anti-CSRF token. - CsrfToken *string `json:"csrf_token,omitempty"` - // Nonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. + CsrfToken string `json:"csrf_token"` + // Nonce is the nonce that was used in the `navigator.credentials.get` call. If specified, it must match the `nonce` claim in the token. Nonce *string `json:"nonce,omitempty"` - // The provider to log in with. - Provider *string `json:"provider,omitempty"` // Token contains the result of `navigator.credentials.get`. - Token *string `json:"token,omitempty"` + Token string `json:"token"` } // NewSubmitFedcmTokenBody instantiates a new SubmitFedcmTokenBody object // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewSubmitFedcmTokenBody() *SubmitFedcmTokenBody { +func NewSubmitFedcmTokenBody(csrfToken string, token string) *SubmitFedcmTokenBody { this := SubmitFedcmTokenBody{} + this.CsrfToken = csrfToken + this.Token = token return &this } @@ -44,36 +44,28 @@ func NewSubmitFedcmTokenBodyWithDefaults() *SubmitFedcmTokenBody { return &this } -// GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. +// GetCsrfToken returns the CsrfToken field value func (o *SubmitFedcmTokenBody) GetCsrfToken() string { - if o == nil || o.CsrfToken == nil { + if o == nil { var ret string return ret } - return *o.CsrfToken + + return o.CsrfToken } -// GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise +// GetCsrfTokenOk returns a tuple with the CsrfToken field value // and a boolean to check if the value has been set. func (o *SubmitFedcmTokenBody) GetCsrfTokenOk() (*string, bool) { - if o == nil || o.CsrfToken == nil { + if o == nil { return nil, false } - return o.CsrfToken, true + return &o.CsrfToken, true } -// HasCsrfToken returns a boolean if a field has been set. -func (o *SubmitFedcmTokenBody) HasCsrfToken() bool { - if o != nil && o.CsrfToken != nil { - return true - } - - return false -} - -// SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. +// SetCsrfToken sets field value func (o *SubmitFedcmTokenBody) SetCsrfToken(v string) { - o.CsrfToken = &v + o.CsrfToken = v } // GetNonce returns the Nonce field value if set, zero value otherwise. @@ -108,82 +100,39 @@ func (o *SubmitFedcmTokenBody) SetNonce(v string) { o.Nonce = &v } -// GetProvider returns the Provider field value if set, zero value otherwise. -func (o *SubmitFedcmTokenBody) GetProvider() string { - if o == nil || o.Provider == nil { - var ret string - return ret - } - return *o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value if set, nil otherwise -// and a boolean to check if the value has been set. -func (o *SubmitFedcmTokenBody) GetProviderOk() (*string, bool) { - if o == nil || o.Provider == nil { - return nil, false - } - return o.Provider, true -} - -// HasProvider returns a boolean if a field has been set. -func (o *SubmitFedcmTokenBody) HasProvider() bool { - if o != nil && o.Provider != nil { - return true - } - - return false -} - -// SetProvider gets a reference to the given string and assigns it to the Provider field. -func (o *SubmitFedcmTokenBody) SetProvider(v string) { - o.Provider = &v -} - -// GetToken returns the Token field value if set, zero value otherwise. +// GetToken returns the Token field value func (o *SubmitFedcmTokenBody) GetToken() string { - if o == nil || o.Token == nil { + if o == nil { var ret string return ret } - return *o.Token + + return o.Token } -// GetTokenOk returns a tuple with the Token field value if set, nil otherwise +// GetTokenOk returns a tuple with the Token field value // and a boolean to check if the value has been set. func (o *SubmitFedcmTokenBody) GetTokenOk() (*string, bool) { - if o == nil || o.Token == nil { + if o == nil { return nil, false } - return o.Token, true -} - -// HasToken returns a boolean if a field has been set. -func (o *SubmitFedcmTokenBody) HasToken() bool { - if o != nil && o.Token != nil { - return true - } - - return false + return &o.Token, true } -// SetToken gets a reference to the given string and assigns it to the Token field. +// SetToken sets field value func (o *SubmitFedcmTokenBody) SetToken(v string) { - o.Token = &v + o.Token = v } func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} - if o.CsrfToken != nil { + if true { toSerialize["csrf_token"] = o.CsrfToken } if o.Nonce != nil { toSerialize["nonce"] = o.Nonce } - if o.Provider != nil { - toSerialize["provider"] = o.Provider - } - if o.Token != nil { + if true { toSerialize["token"] = o.Token } return json.Marshal(toSerialize) diff --git a/internal/httpclient/model_submit_fedcm_token_body.go b/internal/httpclient/model_submit_fedcm_token_body.go index 3c9c060b6d25..a8032c3a8cce 100644 --- a/internal/httpclient/model_submit_fedcm_token_body.go +++ b/internal/httpclient/model_submit_fedcm_token_body.go @@ -18,21 +18,21 @@ import ( // SubmitFedcmTokenBody struct for SubmitFedcmTokenBody type SubmitFedcmTokenBody struct { // CSRFToken is the anti-CSRF token. - CsrfToken *string `json:"csrf_token,omitempty"` - // Nonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. + CsrfToken string `json:"csrf_token"` + // Nonce is the nonce that was used in the `navigator.credentials.get` call. If specified, it must match the `nonce` claim in the token. Nonce *string `json:"nonce,omitempty"` - // The provider to log in with. - Provider *string `json:"provider,omitempty"` // Token contains the result of `navigator.credentials.get`. - Token *string `json:"token,omitempty"` + Token string `json:"token"` } // NewSubmitFedcmTokenBody instantiates a new SubmitFedcmTokenBody object // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewSubmitFedcmTokenBody() *SubmitFedcmTokenBody { +func NewSubmitFedcmTokenBody(csrfToken string, token string) *SubmitFedcmTokenBody { this := SubmitFedcmTokenBody{} + this.CsrfToken = csrfToken + this.Token = token return &this } @@ -44,36 +44,28 @@ func NewSubmitFedcmTokenBodyWithDefaults() *SubmitFedcmTokenBody { return &this } -// GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. +// GetCsrfToken returns the CsrfToken field value func (o *SubmitFedcmTokenBody) GetCsrfToken() string { - if o == nil || o.CsrfToken == nil { + if o == nil { var ret string return ret } - return *o.CsrfToken + + return o.CsrfToken } -// GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise +// GetCsrfTokenOk returns a tuple with the CsrfToken field value // and a boolean to check if the value has been set. func (o *SubmitFedcmTokenBody) GetCsrfTokenOk() (*string, bool) { - if o == nil || o.CsrfToken == nil { + if o == nil { return nil, false } - return o.CsrfToken, true + return &o.CsrfToken, true } -// HasCsrfToken returns a boolean if a field has been set. -func (o *SubmitFedcmTokenBody) HasCsrfToken() bool { - if o != nil && o.CsrfToken != nil { - return true - } - - return false -} - -// SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. +// SetCsrfToken sets field value func (o *SubmitFedcmTokenBody) SetCsrfToken(v string) { - o.CsrfToken = &v + o.CsrfToken = v } // GetNonce returns the Nonce field value if set, zero value otherwise. @@ -108,82 +100,39 @@ func (o *SubmitFedcmTokenBody) SetNonce(v string) { o.Nonce = &v } -// GetProvider returns the Provider field value if set, zero value otherwise. -func (o *SubmitFedcmTokenBody) GetProvider() string { - if o == nil || o.Provider == nil { - var ret string - return ret - } - return *o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value if set, nil otherwise -// and a boolean to check if the value has been set. -func (o *SubmitFedcmTokenBody) GetProviderOk() (*string, bool) { - if o == nil || o.Provider == nil { - return nil, false - } - return o.Provider, true -} - -// HasProvider returns a boolean if a field has been set. -func (o *SubmitFedcmTokenBody) HasProvider() bool { - if o != nil && o.Provider != nil { - return true - } - - return false -} - -// SetProvider gets a reference to the given string and assigns it to the Provider field. -func (o *SubmitFedcmTokenBody) SetProvider(v string) { - o.Provider = &v -} - -// GetToken returns the Token field value if set, zero value otherwise. +// GetToken returns the Token field value func (o *SubmitFedcmTokenBody) GetToken() string { - if o == nil || o.Token == nil { + if o == nil { var ret string return ret } - return *o.Token + + return o.Token } -// GetTokenOk returns a tuple with the Token field value if set, nil otherwise +// GetTokenOk returns a tuple with the Token field value // and a boolean to check if the value has been set. func (o *SubmitFedcmTokenBody) GetTokenOk() (*string, bool) { - if o == nil || o.Token == nil { + if o == nil { return nil, false } - return o.Token, true -} - -// HasToken returns a boolean if a field has been set. -func (o *SubmitFedcmTokenBody) HasToken() bool { - if o != nil && o.Token != nil { - return true - } - - return false + return &o.Token, true } -// SetToken gets a reference to the given string and assigns it to the Token field. +// SetToken sets field value func (o *SubmitFedcmTokenBody) SetToken(v string) { - o.Token = &v + o.Token = v } func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} - if o.CsrfToken != nil { + if true { toSerialize["csrf_token"] = o.CsrfToken } if o.Nonce != nil { toSerialize["nonce"] = o.Nonce } - if o.Provider != nil { - toSerialize["provider"] = o.Provider - } - if o.Token != nil { + if true { toSerialize["token"] = o.Token } return json.Marshal(toSerialize) diff --git a/selfservice/strategy/oidc/fedcm/definitions.go b/selfservice/strategy/oidc/fedcm/definitions.go index f72a6e676d9e..2e14c03ed174 100644 --- a/selfservice/strategy/oidc/fedcm/definitions.go +++ b/selfservice/strategy/oidc/fedcm/definitions.go @@ -70,17 +70,20 @@ type GetParametersResponse struct { // default: errorGeneric type SubmitFedcmTokenBody struct { - // The provider to log in with. - Provider string `json:"provider"` - // Token contains the result of `navigator.credentials.get`. + // + // required: true Token string `json:"token"` - // Nonce is the nonce, used when generating the IDToken. If the provider supports - // nonce validation, the nonce will be validated against this value and required. + // Nonce is the nonce that was used in the `navigator.credentials.get` call. If + // specified, it must match the `nonce` claim in the token. + // + // required: false Nonce string `json:"nonce"` // CSRFToken is the anti-CSRF token. + // + // required: true CSRFToken string `json:"csrf_token"` } diff --git a/spec/api.json b/spec/api.json index ef93c8cbc433..f3d10ce2e570 100644 --- a/spec/api.json +++ b/spec/api.json @@ -463,11 +463,7 @@ "type": "string" }, "nonce": { - "description": "Nonce is the nonce, used when generating the IDToken. If the provider supports\nnonce validation, the nonce will be validated against this value and required.", - "type": "string" - }, - "provider": { - "description": "The provider to log in with.", + "description": "Nonce is the nonce that was used in the `navigator.credentials.get` call. If\nspecified, it must match the `nonce` claim in the token.", "type": "string" }, "token": { @@ -475,6 +471,10 @@ "type": "string" } }, + "required": [ + "token", + "csrf_token" + ], "type": "object" }, "Time": { diff --git a/spec/swagger.json b/spec/swagger.json index 5c0127a574ed..97b6de6c018b 100755 --- a/spec/swagger.json +++ b/spec/swagger.json @@ -3761,17 +3761,17 @@ }, "SubmitFedcmTokenBody": { "type": "object", + "required": [ + "token", + "csrf_token" + ], "properties": { "csrf_token": { "description": "CSRFToken is the anti-CSRF token.", "type": "string" }, "nonce": { - "description": "Nonce is the nonce, used when generating the IDToken. If the provider supports\nnonce validation, the nonce will be validated against this value and required.", - "type": "string" - }, - "provider": { - "description": "The provider to log in with.", + "description": "Nonce is the nonce that was used in the `navigator.credentials.get` call. If\nspecified, it must match the `nonce` claim in the token.", "type": "string" }, "token": { From 01edcc5c068a019f902d2ad75540e9474e0d612b Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Fri, 31 Jan 2025 20:16:01 +0100 Subject: [PATCH 7/9] Update selfservice/strategy/oidc/provider_netid.go Co-authored-by: Patrik --- selfservice/strategy/oidc/provider_netid.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/selfservice/strategy/oidc/provider_netid.go b/selfservice/strategy/oidc/provider_netid.go index 5bbab1931e92..ec74d560290f 100644 --- a/selfservice/strategy/oidc/provider_netid.go +++ b/selfservice/strategy/oidc/provider_netid.go @@ -143,12 +143,7 @@ func (n *ProviderNetID) Verify(ctx context.Context, rawIDToken string) (*Claims, IDToken string `json:"id_token"` }{} - body, err := io.ReadAll(res.Body) - if err != nil { - return nil, err - } - - if err := json.NewDecoder(bytes.NewBuffer(body)).Decode(&token); err != nil { + if err := json.NewDecoder(res.Body).Decode(&token); err != nil { return nil, err } From c06ece8632a7ad4d1a56eecb6b770836c1bc1b97 Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Fri, 31 Jan 2025 20:16:33 +0100 Subject: [PATCH 8/9] chore: sdk --- internal/client-go/.openapi-generator/FILES | 8 +- internal/client-go/README.md | 8 +- internal/client-go/api_frontend.go | 580 +++++++++--------- ...go => model_create_fedcm_flow_response.go} | 54 +- ...ody.go => model_update_fedcm_flow_body.go} | 58 +- internal/httpclient/.openapi-generator/FILES | 8 +- internal/httpclient/README.md | 8 +- internal/httpclient/api_frontend.go | 580 +++++++++--------- ...go => model_create_fedcm_flow_response.go} | 54 +- ...ody.go => model_update_fedcm_flow_body.go} | 58 +- .../strategy/oidc/fedcm/definitions.go | 20 +- selfservice/strategy/oidc/provider_netid.go | 2 - spec/api.json | 62 +- spec/swagger.json | 46 +- 14 files changed, 772 insertions(+), 774 deletions(-) rename internal/client-go/{model_get_fed_cm_parameters_response.go => model_create_fedcm_flow_response.go} (59%) rename internal/client-go/{model_submit_fedcm_token_body.go => model_update_fedcm_flow_body.go} (63%) rename internal/httpclient/{model_get_fed_cm_parameters_response.go => model_create_fedcm_flow_response.go} (59%) rename internal/httpclient/{model_submit_fedcm_token_body.go => model_update_fedcm_flow_body.go} (63%) diff --git a/internal/client-go/.openapi-generator/FILES b/internal/client-go/.openapi-generator/FILES index 304b5b327fb8..e5608d3b70a9 100644 --- a/internal/client-go/.openapi-generator/FILES +++ b/internal/client-go/.openapi-generator/FILES @@ -24,6 +24,7 @@ docs/ContinueWithVerificationUiFlow.md docs/CourierAPI.md docs/CourierMessageStatus.md docs/CourierMessageType.md +docs/CreateFedcmFlowResponse.md docs/CreateIdentityBody.md docs/CreateRecoveryCodeForIdentityBody.md docs/CreateRecoveryLinkForIdentityBody.md @@ -35,7 +36,6 @@ docs/ErrorGeneric.md docs/FlowError.md docs/FrontendAPI.md docs/GenericError.md -docs/GetFedCmParametersResponse.md docs/GetVersion200Response.md docs/HealthNotReadyStatus.md docs/HealthStatus.md @@ -85,7 +85,6 @@ docs/SessionAuthenticationMethod.md docs/SessionDevice.md docs/SettingsFlow.md docs/SettingsFlowState.md -docs/SubmitFedcmTokenBody.md docs/SuccessfulCodeExchangeResponse.md docs/SuccessfulNativeLogin.md docs/SuccessfulNativeRegistration.md @@ -101,6 +100,7 @@ docs/UiNodeMeta.md docs/UiNodeScriptAttributes.md docs/UiNodeTextAttributes.md docs/UiText.md +docs/UpdateFedcmFlowBody.md docs/UpdateIdentityBody.md docs/UpdateLoginFlowBody.md docs/UpdateLoginFlowWithCodeMethod.md @@ -153,6 +153,7 @@ model_continue_with_verification_ui.go model_continue_with_verification_ui_flow.go model_courier_message_status.go model_courier_message_type.go +model_create_fedcm_flow_response.go model_create_identity_body.go model_create_recovery_code_for_identity_body.go model_create_recovery_link_for_identity_body.go @@ -163,7 +164,6 @@ model_error_flow_replaced.go model_error_generic.go model_flow_error.go model_generic_error.go -model_get_fed_cm_parameters_response.go model_get_version_200_response.go model_health_not_ready_status.go model_health_status.go @@ -211,7 +211,6 @@ model_session_authentication_method.go model_session_device.go model_settings_flow.go model_settings_flow_state.go -model_submit_fedcm_token_body.go model_successful_code_exchange_response.go model_successful_native_login.go model_successful_native_registration.go @@ -227,6 +226,7 @@ model_ui_node_meta.go model_ui_node_script_attributes.go model_ui_node_text_attributes.go model_ui_text.go +model_update_fedcm_flow_body.go model_update_identity_body.go model_update_login_flow_body.go model_update_login_flow_with_code_method.go diff --git a/internal/client-go/README.md b/internal/client-go/README.md index e9657b0432f8..b418e308083f 100644 --- a/internal/client-go/README.md +++ b/internal/client-go/README.md @@ -87,6 +87,7 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**CreateBrowserRegistrationFlow**](docs/FrontendAPI.md#createbrowserregistrationflow) | **Get** /self-service/registration/browser | Create Registration Flow for Browsers *FrontendAPI* | [**CreateBrowserSettingsFlow**](docs/FrontendAPI.md#createbrowsersettingsflow) | **Get** /self-service/settings/browser | Create Settings Flow for Browsers *FrontendAPI* | [**CreateBrowserVerificationFlow**](docs/FrontendAPI.md#createbrowserverificationflow) | **Get** /self-service/verification/browser | Create Verification Flow for Browser Clients +*FrontendAPI* | [**CreateFedcmFlow**](docs/FrontendAPI.md#createfedcmflow) | **Get** /self-service/fed-cm/parameters | Get FedCM Parameters *FrontendAPI* | [**CreateNativeLoginFlow**](docs/FrontendAPI.md#createnativeloginflow) | **Get** /self-service/login/api | Create Login Flow for Native Apps *FrontendAPI* | [**CreateNativeRecoveryFlow**](docs/FrontendAPI.md#createnativerecoveryflow) | **Get** /self-service/recovery/api | Create Recovery Flow for Native Apps *FrontendAPI* | [**CreateNativeRegistrationFlow**](docs/FrontendAPI.md#createnativeregistrationflow) | **Get** /self-service/registration/api | Create Registration Flow for Native Apps @@ -95,7 +96,6 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**DisableMyOtherSessions**](docs/FrontendAPI.md#disablemyothersessions) | **Delete** /sessions | Disable my other sessions *FrontendAPI* | [**DisableMySession**](docs/FrontendAPI.md#disablemysession) | **Delete** /sessions/{id} | Disable one of my sessions *FrontendAPI* | [**ExchangeSessionToken**](docs/FrontendAPI.md#exchangesessiontoken) | **Get** /sessions/token-exchange | Exchange Session Token -*FrontendAPI* | [**GetFedcmParameters**](docs/FrontendAPI.md#getfedcmparameters) | **Get** /self-service/fed-cm/parameters | Get FedCM Parameters *FrontendAPI* | [**GetFlowError**](docs/FrontendAPI.md#getflowerror) | **Get** /self-service/errors | Get User-Flow Errors *FrontendAPI* | [**GetLoginFlow**](docs/FrontendAPI.md#getloginflow) | **Get** /self-service/login/flows | Get Login Flow *FrontendAPI* | [**GetRecoveryFlow**](docs/FrontendAPI.md#getrecoveryflow) | **Get** /self-service/recovery/flows | Get Recovery Flow @@ -105,8 +105,8 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**GetWebAuthnJavaScript**](docs/FrontendAPI.md#getwebauthnjavascript) | **Get** /.well-known/ory/webauthn.js | Get WebAuthn JavaScript *FrontendAPI* | [**ListMySessions**](docs/FrontendAPI.md#listmysessions) | **Get** /sessions | Get My Active Sessions *FrontendAPI* | [**PerformNativeLogout**](docs/FrontendAPI.md#performnativelogout) | **Delete** /self-service/logout/api | Perform Logout for Native Apps -*FrontendAPI* | [**SubmitFedcmToken**](docs/FrontendAPI.md#submitfedcmtoken) | **Post** /self-service/fed-cm/token | Submit a FedCM token *FrontendAPI* | [**ToSession**](docs/FrontendAPI.md#tosession) | **Get** /sessions/whoami | Check Who the Current HTTP Session Belongs To +*FrontendAPI* | [**UpdateFedcmFlow**](docs/FrontendAPI.md#updatefedcmflow) | **Post** /self-service/fed-cm/token | Submit a FedCM token *FrontendAPI* | [**UpdateLoginFlow**](docs/FrontendAPI.md#updateloginflow) | **Post** /self-service/login | Submit a Login Flow *FrontendAPI* | [**UpdateLogoutFlow**](docs/FrontendAPI.md#updatelogoutflow) | **Get** /self-service/logout | Update Logout Flow *FrontendAPI* | [**UpdateRecoveryFlow**](docs/FrontendAPI.md#updaterecoveryflow) | **Post** /self-service/recovery | Update Recovery Flow @@ -152,6 +152,7 @@ Class | Method | HTTP request | Description - [ContinueWithVerificationUiFlow](docs/ContinueWithVerificationUiFlow.md) - [CourierMessageStatus](docs/CourierMessageStatus.md) - [CourierMessageType](docs/CourierMessageType.md) + - [CreateFedcmFlowResponse](docs/CreateFedcmFlowResponse.md) - [CreateIdentityBody](docs/CreateIdentityBody.md) - [CreateRecoveryCodeForIdentityBody](docs/CreateRecoveryCodeForIdentityBody.md) - [CreateRecoveryLinkForIdentityBody](docs/CreateRecoveryLinkForIdentityBody.md) @@ -162,7 +163,6 @@ Class | Method | HTTP request | Description - [ErrorGeneric](docs/ErrorGeneric.md) - [FlowError](docs/FlowError.md) - [GenericError](docs/GenericError.md) - - [GetFedCmParametersResponse](docs/GetFedCmParametersResponse.md) - [GetVersion200Response](docs/GetVersion200Response.md) - [HealthNotReadyStatus](docs/HealthNotReadyStatus.md) - [HealthStatus](docs/HealthStatus.md) @@ -210,7 +210,6 @@ Class | Method | HTTP request | Description - [SessionDevice](docs/SessionDevice.md) - [SettingsFlow](docs/SettingsFlow.md) - [SettingsFlowState](docs/SettingsFlowState.md) - - [SubmitFedcmTokenBody](docs/SubmitFedcmTokenBody.md) - [SuccessfulCodeExchangeResponse](docs/SuccessfulCodeExchangeResponse.md) - [SuccessfulNativeLogin](docs/SuccessfulNativeLogin.md) - [SuccessfulNativeRegistration](docs/SuccessfulNativeRegistration.md) @@ -226,6 +225,7 @@ Class | Method | HTTP request | Description - [UiNodeScriptAttributes](docs/UiNodeScriptAttributes.md) - [UiNodeTextAttributes](docs/UiNodeTextAttributes.md) - [UiText](docs/UiText.md) + - [UpdateFedcmFlowBody](docs/UpdateFedcmFlowBody.md) - [UpdateIdentityBody](docs/UpdateIdentityBody.md) - [UpdateLoginFlowBody](docs/UpdateLoginFlowBody.md) - [UpdateLoginFlowWithCodeMethod](docs/UpdateLoginFlowWithCodeMethod.md) diff --git a/internal/client-go/api_frontend.go b/internal/client-go/api_frontend.go index 97f0ca8b82c7..cd243b065b4b 100644 --- a/internal/client-go/api_frontend.go +++ b/internal/client-go/api_frontend.go @@ -201,6 +201,20 @@ type FrontendAPI interface { */ CreateBrowserVerificationFlowExecute(r FrontendAPIApiCreateBrowserVerificationFlowRequest) (*VerificationFlow, *http.Response, error) + /* + * CreateFedcmFlow Get FedCM Parameters + * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiCreateFedcmFlowRequest + */ + CreateFedcmFlow(ctx context.Context) FrontendAPIApiCreateFedcmFlowRequest + + /* + * CreateFedcmFlowExecute executes the request + * @return CreateFedcmFlowResponse + */ + CreateFedcmFlowExecute(r FrontendAPIApiCreateFedcmFlowRequest) (*CreateFedcmFlowResponse, *http.Response, error) + /* * CreateNativeLoginFlow Create Login Flow for Native Apps * This endpoint initiates a login flow for native apps that do not use a browser, such as mobile devices, smart TVs, and so on. @@ -394,20 +408,6 @@ type FrontendAPI interface { */ ExchangeSessionTokenExecute(r FrontendAPIApiExchangeSessionTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) - /* - * GetFedcmParameters Get FedCM Parameters - * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. - * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). - * @return FrontendAPIApiGetFedcmParametersRequest - */ - GetFedcmParameters(ctx context.Context) FrontendAPIApiGetFedcmParametersRequest - - /* - * GetFedcmParametersExecute executes the request - * @return GetFedCmParametersResponse - */ - GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetFedCmParametersResponse, *http.Response, error) - /* * GetFlowError Get User-Flow Errors * This endpoint returns the error associated with a user-facing self service errors. @@ -651,23 +651,6 @@ type FrontendAPI interface { */ PerformNativeLogoutExecute(r FrontendAPIApiPerformNativeLogoutRequest) (*http.Response, error) - /* - * SubmitFedcmToken Submit a FedCM token - * Use this endpoint to submit a token from a FedCM provider through - `navigator.credentials.get` and log the user in. The parameters from - `navigator.credentials.get` must have come from `GET - self-service/fed-cm/parameters`. - * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). - * @return FrontendAPIApiSubmitFedcmTokenRequest - */ - SubmitFedcmToken(ctx context.Context) FrontendAPIApiSubmitFedcmTokenRequest - - /* - * SubmitFedcmTokenExecute executes the request - * @return SuccessfulNativeLogin - */ - SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcmTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) - /* * ToSession Check Who the Current HTTP Session Belongs To * Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated. @@ -740,6 +723,23 @@ type FrontendAPI interface { */ ToSessionExecute(r FrontendAPIApiToSessionRequest) (*Session, *http.Response, error) + /* + * UpdateFedcmFlow Submit a FedCM token + * Use this endpoint to submit a token from a FedCM provider through + `navigator.credentials.get` and log the user in. The parameters from + `navigator.credentials.get` must have come from `GET + self-service/fed-cm/parameters`. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiUpdateFedcmFlowRequest + */ + UpdateFedcmFlow(ctx context.Context) FrontendAPIApiUpdateFedcmFlowRequest + + /* + * UpdateFedcmFlowExecute executes the request + * @return SuccessfulNativeLogin + */ + UpdateFedcmFlowExecute(r FrontendAPIApiUpdateFedcmFlowRequest) (*SuccessfulNativeLogin, *http.Response, error) + /* * UpdateLoginFlow Submit a Login Flow * Use this endpoint to complete a login flow. This endpoint @@ -1921,6 +1921,124 @@ func (a *FrontendAPIService) CreateBrowserVerificationFlowExecute(r FrontendAPIA return localVarReturnValue, localVarHTTPResponse, nil } +type FrontendAPIApiCreateFedcmFlowRequest struct { + ctx context.Context + ApiService FrontendAPI +} + +func (r FrontendAPIApiCreateFedcmFlowRequest) Execute() (*CreateFedcmFlowResponse, *http.Response, error) { + return r.ApiService.CreateFedcmFlowExecute(r) +} + +/* + * CreateFedcmFlow Get FedCM Parameters + * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiCreateFedcmFlowRequest + */ +func (a *FrontendAPIService) CreateFedcmFlow(ctx context.Context) FrontendAPIApiCreateFedcmFlowRequest { + return FrontendAPIApiCreateFedcmFlowRequest{ + ApiService: a, + ctx: ctx, + } +} + +/* + * Execute executes the request + * @return CreateFedcmFlowResponse + */ +func (a *FrontendAPIService) CreateFedcmFlowExecute(r FrontendAPIApiCreateFedcmFlowRequest) (*CreateFedcmFlowResponse, *http.Response, error) { + var ( + localVarHTTPMethod = http.MethodGet + localVarPostBody interface{} + localVarFormFileName string + localVarFileName string + localVarFileBytes []byte + localVarReturnValue *CreateFedcmFlowResponse + ) + + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.CreateFedcmFlow") + if err != nil { + return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} + } + + localVarPath := localBasePath + "/self-service/fed-cm/parameters" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := url.Values{} + localVarFormParams := url.Values{} + + // to determine the Content-Type header + localVarHTTPContentTypes := []string{} + + // set Content-Type header + localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) + if localVarHTTPContentType != "" { + localVarHeaderParams["Content-Type"] = localVarHTTPContentType + } + + // to determine the Accept header + localVarHTTPHeaderAccepts := []string{"application/json"} + + // set Accept header + localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts) + if localVarHTTPHeaderAccept != "" { + localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept + } + req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.client.callAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024)) + localVarHTTPResponse.Body.Close() + localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody)) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 400 { + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + type FrontendAPIApiCreateNativeLoginFlowRequest struct { ctx context.Context ApiService FrontendAPI @@ -3135,124 +3253,6 @@ func (a *FrontendAPIService) ExchangeSessionTokenExecute(r FrontendAPIApiExchang return localVarReturnValue, localVarHTTPResponse, nil } -type FrontendAPIApiGetFedcmParametersRequest struct { - ctx context.Context - ApiService FrontendAPI -} - -func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetFedCmParametersResponse, *http.Response, error) { - return r.ApiService.GetFedcmParametersExecute(r) -} - -/* - * GetFedcmParameters Get FedCM Parameters - * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. - * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). - * @return FrontendAPIApiGetFedcmParametersRequest - */ -func (a *FrontendAPIService) GetFedcmParameters(ctx context.Context) FrontendAPIApiGetFedcmParametersRequest { - return FrontendAPIApiGetFedcmParametersRequest{ - ApiService: a, - ctx: ctx, - } -} - -/* - * Execute executes the request - * @return GetFedCmParametersResponse - */ -func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetFedCmParametersResponse, *http.Response, error) { - var ( - localVarHTTPMethod = http.MethodGet - localVarPostBody interface{} - localVarFormFileName string - localVarFileName string - localVarFileBytes []byte - localVarReturnValue *GetFedCmParametersResponse - ) - - localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.GetFedcmParameters") - if err != nil { - return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} - } - - localVarPath := localBasePath + "/self-service/fed-cm/parameters" - - localVarHeaderParams := make(map[string]string) - localVarQueryParams := url.Values{} - localVarFormParams := url.Values{} - - // to determine the Content-Type header - localVarHTTPContentTypes := []string{} - - // set Content-Type header - localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) - if localVarHTTPContentType != "" { - localVarHeaderParams["Content-Type"] = localVarHTTPContentType - } - - // to determine the Accept header - localVarHTTPHeaderAccepts := []string{"application/json"} - - // set Accept header - localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts) - if localVarHTTPHeaderAccept != "" { - localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept - } - req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) - if err != nil { - return localVarReturnValue, nil, err - } - - localVarHTTPResponse, err := a.client.callAPI(req) - if err != nil || localVarHTTPResponse == nil { - return localVarReturnValue, localVarHTTPResponse, err - } - - localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024)) - localVarHTTPResponse.Body.Close() - localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody)) - if err != nil { - return localVarReturnValue, localVarHTTPResponse, err - } - - if localVarHTTPResponse.StatusCode >= 300 { - newErr := &GenericOpenAPIError{ - body: localVarBody, - error: localVarHTTPResponse.Status, - } - if localVarHTTPResponse.StatusCode == 400 { - var v ErrorGeneric - err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) - if err != nil { - newErr.error = err.Error() - return localVarReturnValue, localVarHTTPResponse, newErr - } - newErr.model = v - return localVarReturnValue, localVarHTTPResponse, newErr - } - var v ErrorGeneric - err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) - if err != nil { - newErr.error = err.Error() - return localVarReturnValue, localVarHTTPResponse, newErr - } - newErr.model = v - return localVarReturnValue, localVarHTTPResponse, newErr - } - - err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) - if err != nil { - newErr := &GenericOpenAPIError{ - body: localVarBody, - error: err.Error(), - } - return localVarReturnValue, localVarHTTPResponse, newErr - } - - return localVarReturnValue, localVarHTTPResponse, nil -} - type FrontendAPIApiGetFlowErrorRequest struct { ctx context.Context ApiService FrontendAPI @@ -4688,33 +4688,98 @@ func (a *FrontendAPIService) PerformNativeLogoutExecute(r FrontendAPIApiPerformN return localVarHTTPResponse, nil } -type FrontendAPIApiSubmitFedcmTokenRequest struct { - ctx context.Context - ApiService FrontendAPI - submitFedcmTokenBody *SubmitFedcmTokenBody +type FrontendAPIApiToSessionRequest struct { + ctx context.Context + ApiService FrontendAPI + xSessionToken *string + cookie *string + tokenizeAs *string } -func (r FrontendAPIApiSubmitFedcmTokenRequest) SubmitFedcmTokenBody(submitFedcmTokenBody SubmitFedcmTokenBody) FrontendAPIApiSubmitFedcmTokenRequest { - r.submitFedcmTokenBody = &submitFedcmTokenBody +func (r FrontendAPIApiToSessionRequest) XSessionToken(xSessionToken string) FrontendAPIApiToSessionRequest { + r.xSessionToken = &xSessionToken + return r +} +func (r FrontendAPIApiToSessionRequest) Cookie(cookie string) FrontendAPIApiToSessionRequest { + r.cookie = &cookie + return r +} +func (r FrontendAPIApiToSessionRequest) TokenizeAs(tokenizeAs string) FrontendAPIApiToSessionRequest { + r.tokenizeAs = &tokenizeAs return r } -func (r FrontendAPIApiSubmitFedcmTokenRequest) Execute() (*SuccessfulNativeLogin, *http.Response, error) { - return r.ApiService.SubmitFedcmTokenExecute(r) +func (r FrontendAPIApiToSessionRequest) Execute() (*Session, *http.Response, error) { + return r.ApiService.ToSessionExecute(r) } /* - - SubmitFedcmToken Submit a FedCM token - - Use this endpoint to submit a token from a FedCM provider through + - ToSession Check Who the Current HTTP Session Belongs To + - Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated. -`navigator.credentials.get` and log the user in. The parameters from -`navigator.credentials.get` must have come from `GET -self-service/fed-cm/parameters`. +Returns a session object in the body or 401 if the credentials are invalid or no credentials were sent. +When the request it successful it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header +in the response. + +If you call this endpoint from a server-side application, you must forward the HTTP Cookie Header to this endpoint: + +```js +pseudo-code example +router.get('/protected-endpoint', async function (req, res) { +const session = await client.toSession(undefined, req.header('cookie')) + +console.log(session) +}) +``` + +When calling this endpoint from a non-browser application (e.g. mobile app) you must include the session token: + +```js +pseudo-code example +... +const session = await client.toSession("the-session-token") + +console.log(session) +``` + +When using a token template, the token is included in the `tokenized` field of the session. + +```js +pseudo-code example +... +const session = await client.toSession("the-session-token", { tokenize_as: "example-jwt-template" }) + +console.log(session.tokenized) // The JWT +``` + +Depending on your configuration this endpoint might return a 403 status code if the session has a lower Authenticator +Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn +credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user +to sign in with the second factor or change the configuration. + +This endpoint is useful for: + +AJAX calls. Remember to send credentials and set up CORS correctly! +Reverse proxies and API Gateways +Server-side calls - use the `X-Session-Token` header! + +This endpoint authenticates users by checking: + +if the `Cookie` HTTP header was set containing an Ory Kratos Session Cookie; +if the `Authorization: bearer ` HTTP header was set with a valid Ory Kratos Session Token; +if the `X-Session-Token` HTTP header was set with a valid Ory Kratos Session Token. + +If none of these headers are set or the cookie or token are invalid, the endpoint returns a HTTP 401 status code. + +As explained above, this request may fail due to several reasons. The `error.id` can be one of: + +`session_inactive`: No active session was found in the request (e.g. no Ory Session Cookie / Ory Session Token). +`session_aal2_required`: An active session was found but it does not fulfil the Authenticator Assurance Level, implying that the session must (e.g.) authenticate the second factor. - @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). - - @return FrontendAPIApiSubmitFedcmTokenRequest + - @return FrontendAPIApiToSessionRequest */ -func (a *FrontendAPIService) SubmitFedcmToken(ctx context.Context) FrontendAPIApiSubmitFedcmTokenRequest { - return FrontendAPIApiSubmitFedcmTokenRequest{ +func (a *FrontendAPIService) ToSession(ctx context.Context) FrontendAPIApiToSessionRequest { + return FrontendAPIApiToSessionRequest{ ApiService: a, ctx: ctx, } @@ -4722,34 +4787,34 @@ func (a *FrontendAPIService) SubmitFedcmToken(ctx context.Context) FrontendAPIAp /* * Execute executes the request - * @return SuccessfulNativeLogin + * @return Session */ -func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcmTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) { +func (a *FrontendAPIService) ToSessionExecute(r FrontendAPIApiToSessionRequest) (*Session, *http.Response, error) { var ( - localVarHTTPMethod = http.MethodPost + localVarHTTPMethod = http.MethodGet localVarPostBody interface{} localVarFormFileName string localVarFileName string localVarFileBytes []byte - localVarReturnValue *SuccessfulNativeLogin + localVarReturnValue *Session ) - localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.SubmitFedcmToken") + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.ToSession") if err != nil { return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} } - localVarPath := localBasePath + "/self-service/fed-cm/token" + localVarPath := localBasePath + "/sessions/whoami" localVarHeaderParams := make(map[string]string) localVarQueryParams := url.Values{} localVarFormParams := url.Values{} - if r.submitFedcmTokenBody == nil { - return localVarReturnValue, nil, reportError("submitFedcmTokenBody is required and must be specified") - } + if r.tokenizeAs != nil { + localVarQueryParams.Add("tokenize_as", parameterToString(*r.tokenizeAs, "")) + } // to determine the Content-Type header - localVarHTTPContentTypes := []string{"application/json", "application/x-www-form-urlencoded"} + localVarHTTPContentTypes := []string{} // set Content-Type header localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) @@ -4765,8 +4830,12 @@ func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcm if localVarHTTPHeaderAccept != "" { localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept } - // body params - localVarPostBody = r.submitFedcmTokenBody + if r.xSessionToken != nil { + localVarHeaderParams["X-Session-Token"] = parameterToString(*r.xSessionToken, "") + } + if r.cookie != nil { + localVarHeaderParams["Cookie"] = parameterToString(*r.cookie, "") + } req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) if err != nil { return localVarReturnValue, nil, err @@ -4789,17 +4858,7 @@ func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcm body: localVarBody, error: localVarHTTPResponse.Status, } - if localVarHTTPResponse.StatusCode == 400 { - var v LoginFlow - err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) - if err != nil { - newErr.error = err.Error() - return localVarReturnValue, localVarHTTPResponse, newErr - } - newErr.model = v - return localVarReturnValue, localVarHTTPResponse, newErr - } - if localVarHTTPResponse.StatusCode == 410 { + if localVarHTTPResponse.StatusCode == 401 { var v ErrorGeneric err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) if err != nil { @@ -4809,8 +4868,8 @@ func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcm newErr.model = v return localVarReturnValue, localVarHTTPResponse, newErr } - if localVarHTTPResponse.StatusCode == 422 { - var v ErrorBrowserLocationChangeRequired + if localVarHTTPResponse.StatusCode == 403 { + var v ErrorGeneric err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) if err != nil { newErr.error = err.Error() @@ -4841,98 +4900,33 @@ func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcm return localVarReturnValue, localVarHTTPResponse, nil } -type FrontendAPIApiToSessionRequest struct { - ctx context.Context - ApiService FrontendAPI - xSessionToken *string - cookie *string - tokenizeAs *string +type FrontendAPIApiUpdateFedcmFlowRequest struct { + ctx context.Context + ApiService FrontendAPI + updateFedcmFlowBody *UpdateFedcmFlowBody } -func (r FrontendAPIApiToSessionRequest) XSessionToken(xSessionToken string) FrontendAPIApiToSessionRequest { - r.xSessionToken = &xSessionToken - return r -} -func (r FrontendAPIApiToSessionRequest) Cookie(cookie string) FrontendAPIApiToSessionRequest { - r.cookie = &cookie - return r -} -func (r FrontendAPIApiToSessionRequest) TokenizeAs(tokenizeAs string) FrontendAPIApiToSessionRequest { - r.tokenizeAs = &tokenizeAs +func (r FrontendAPIApiUpdateFedcmFlowRequest) UpdateFedcmFlowBody(updateFedcmFlowBody UpdateFedcmFlowBody) FrontendAPIApiUpdateFedcmFlowRequest { + r.updateFedcmFlowBody = &updateFedcmFlowBody return r } -func (r FrontendAPIApiToSessionRequest) Execute() (*Session, *http.Response, error) { - return r.ApiService.ToSessionExecute(r) +func (r FrontendAPIApiUpdateFedcmFlowRequest) Execute() (*SuccessfulNativeLogin, *http.Response, error) { + return r.ApiService.UpdateFedcmFlowExecute(r) } /* - - ToSession Check Who the Current HTTP Session Belongs To - - Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated. - -Returns a session object in the body or 401 if the credentials are invalid or no credentials were sent. -When the request it successful it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header -in the response. - -If you call this endpoint from a server-side application, you must forward the HTTP Cookie Header to this endpoint: - -```js -pseudo-code example -router.get('/protected-endpoint', async function (req, res) { -const session = await client.toSession(undefined, req.header('cookie')) - -console.log(session) -}) -``` - -When calling this endpoint from a non-browser application (e.g. mobile app) you must include the session token: - -```js -pseudo-code example -... -const session = await client.toSession("the-session-token") - -console.log(session) -``` - -When using a token template, the token is included in the `tokenized` field of the session. - -```js -pseudo-code example -... -const session = await client.toSession("the-session-token", { tokenize_as: "example-jwt-template" }) - -console.log(session.tokenized) // The JWT -``` - -Depending on your configuration this endpoint might return a 403 status code if the session has a lower Authenticator -Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn -credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user -to sign in with the second factor or change the configuration. - -This endpoint is useful for: - -AJAX calls. Remember to send credentials and set up CORS correctly! -Reverse proxies and API Gateways -Server-side calls - use the `X-Session-Token` header! - -This endpoint authenticates users by checking: - -if the `Cookie` HTTP header was set containing an Ory Kratos Session Cookie; -if the `Authorization: bearer ` HTTP header was set with a valid Ory Kratos Session Token; -if the `X-Session-Token` HTTP header was set with a valid Ory Kratos Session Token. - -If none of these headers are set or the cookie or token are invalid, the endpoint returns a HTTP 401 status code. - -As explained above, this request may fail due to several reasons. The `error.id` can be one of: + - UpdateFedcmFlow Submit a FedCM token + - Use this endpoint to submit a token from a FedCM provider through -`session_inactive`: No active session was found in the request (e.g. no Ory Session Cookie / Ory Session Token). -`session_aal2_required`: An active session was found but it does not fulfil the Authenticator Assurance Level, implying that the session must (e.g.) authenticate the second factor. +`navigator.credentials.get` and log the user in. The parameters from +`navigator.credentials.get` must have come from `GET +self-service/fed-cm/parameters`. - @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). - - @return FrontendAPIApiToSessionRequest + - @return FrontendAPIApiUpdateFedcmFlowRequest */ -func (a *FrontendAPIService) ToSession(ctx context.Context) FrontendAPIApiToSessionRequest { - return FrontendAPIApiToSessionRequest{ +func (a *FrontendAPIService) UpdateFedcmFlow(ctx context.Context) FrontendAPIApiUpdateFedcmFlowRequest { + return FrontendAPIApiUpdateFedcmFlowRequest{ ApiService: a, ctx: ctx, } @@ -4940,34 +4934,34 @@ func (a *FrontendAPIService) ToSession(ctx context.Context) FrontendAPIApiToSess /* * Execute executes the request - * @return Session + * @return SuccessfulNativeLogin */ -func (a *FrontendAPIService) ToSessionExecute(r FrontendAPIApiToSessionRequest) (*Session, *http.Response, error) { +func (a *FrontendAPIService) UpdateFedcmFlowExecute(r FrontendAPIApiUpdateFedcmFlowRequest) (*SuccessfulNativeLogin, *http.Response, error) { var ( - localVarHTTPMethod = http.MethodGet + localVarHTTPMethod = http.MethodPost localVarPostBody interface{} localVarFormFileName string localVarFileName string localVarFileBytes []byte - localVarReturnValue *Session + localVarReturnValue *SuccessfulNativeLogin ) - localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.ToSession") + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.UpdateFedcmFlow") if err != nil { return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} } - localVarPath := localBasePath + "/sessions/whoami" + localVarPath := localBasePath + "/self-service/fed-cm/token" localVarHeaderParams := make(map[string]string) localVarQueryParams := url.Values{} localVarFormParams := url.Values{} - - if r.tokenizeAs != nil { - localVarQueryParams.Add("tokenize_as", parameterToString(*r.tokenizeAs, "")) + if r.updateFedcmFlowBody == nil { + return localVarReturnValue, nil, reportError("updateFedcmFlowBody is required and must be specified") } + // to determine the Content-Type header - localVarHTTPContentTypes := []string{} + localVarHTTPContentTypes := []string{"application/json", "application/x-www-form-urlencoded"} // set Content-Type header localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) @@ -4983,12 +4977,8 @@ func (a *FrontendAPIService) ToSessionExecute(r FrontendAPIApiToSessionRequest) if localVarHTTPHeaderAccept != "" { localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept } - if r.xSessionToken != nil { - localVarHeaderParams["X-Session-Token"] = parameterToString(*r.xSessionToken, "") - } - if r.cookie != nil { - localVarHeaderParams["Cookie"] = parameterToString(*r.cookie, "") - } + // body params + localVarPostBody = r.updateFedcmFlowBody req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) if err != nil { return localVarReturnValue, nil, err @@ -5011,8 +5001,8 @@ func (a *FrontendAPIService) ToSessionExecute(r FrontendAPIApiToSessionRequest) body: localVarBody, error: localVarHTTPResponse.Status, } - if localVarHTTPResponse.StatusCode == 401 { - var v ErrorGeneric + if localVarHTTPResponse.StatusCode == 400 { + var v LoginFlow err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) if err != nil { newErr.error = err.Error() @@ -5021,7 +5011,7 @@ func (a *FrontendAPIService) ToSessionExecute(r FrontendAPIApiToSessionRequest) newErr.model = v return localVarReturnValue, localVarHTTPResponse, newErr } - if localVarHTTPResponse.StatusCode == 403 { + if localVarHTTPResponse.StatusCode == 410 { var v ErrorGeneric err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) if err != nil { @@ -5031,6 +5021,16 @@ func (a *FrontendAPIService) ToSessionExecute(r FrontendAPIApiToSessionRequest) newErr.model = v return localVarReturnValue, localVarHTTPResponse, newErr } + if localVarHTTPResponse.StatusCode == 422 { + var v ErrorBrowserLocationChangeRequired + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } var v ErrorGeneric err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) if err != nil { diff --git a/internal/client-go/model_get_fed_cm_parameters_response.go b/internal/client-go/model_create_fedcm_flow_response.go similarity index 59% rename from internal/client-go/model_get_fed_cm_parameters_response.go rename to internal/client-go/model_create_fedcm_flow_response.go index 1563b7e2cee2..fdca32672c63 100644 --- a/internal/client-go/model_get_fed_cm_parameters_response.go +++ b/internal/client-go/model_create_fedcm_flow_response.go @@ -15,31 +15,31 @@ import ( "encoding/json" ) -// GetFedCmParametersResponse Contains a list of all available FedCM providers. -type GetFedCmParametersResponse struct { +// CreateFedcmFlowResponse Contains a list of all available FedCM providers. +type CreateFedcmFlowResponse struct { CsrfToken *string `json:"csrf_token,omitempty"` Providers []Provider `json:"providers,omitempty"` } -// NewGetFedCmParametersResponse instantiates a new GetFedCmParametersResponse object +// NewCreateFedcmFlowResponse instantiates a new CreateFedcmFlowResponse object // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewGetFedCmParametersResponse() *GetFedCmParametersResponse { - this := GetFedCmParametersResponse{} +func NewCreateFedcmFlowResponse() *CreateFedcmFlowResponse { + this := CreateFedcmFlowResponse{} return &this } -// NewGetFedCmParametersResponseWithDefaults instantiates a new GetFedCmParametersResponse object +// NewCreateFedcmFlowResponseWithDefaults instantiates a new CreateFedcmFlowResponse object // This constructor will only assign default values to properties that have it defined, // but it doesn't guarantee that properties required by API are set -func NewGetFedCmParametersResponseWithDefaults() *GetFedCmParametersResponse { - this := GetFedCmParametersResponse{} +func NewCreateFedcmFlowResponseWithDefaults() *CreateFedcmFlowResponse { + this := CreateFedcmFlowResponse{} return &this } // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. -func (o *GetFedCmParametersResponse) GetCsrfToken() string { +func (o *CreateFedcmFlowResponse) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { var ret string return ret @@ -49,7 +49,7 @@ func (o *GetFedCmParametersResponse) GetCsrfToken() string { // GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *GetFedCmParametersResponse) GetCsrfTokenOk() (*string, bool) { +func (o *CreateFedcmFlowResponse) GetCsrfTokenOk() (*string, bool) { if o == nil || o.CsrfToken == nil { return nil, false } @@ -57,7 +57,7 @@ func (o *GetFedCmParametersResponse) GetCsrfTokenOk() (*string, bool) { } // HasCsrfToken returns a boolean if a field has been set. -func (o *GetFedCmParametersResponse) HasCsrfToken() bool { +func (o *CreateFedcmFlowResponse) HasCsrfToken() bool { if o != nil && o.CsrfToken != nil { return true } @@ -66,12 +66,12 @@ func (o *GetFedCmParametersResponse) HasCsrfToken() bool { } // SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. -func (o *GetFedCmParametersResponse) SetCsrfToken(v string) { +func (o *CreateFedcmFlowResponse) SetCsrfToken(v string) { o.CsrfToken = &v } // GetProviders returns the Providers field value if set, zero value otherwise. -func (o *GetFedCmParametersResponse) GetProviders() []Provider { +func (o *CreateFedcmFlowResponse) GetProviders() []Provider { if o == nil || o.Providers == nil { var ret []Provider return ret @@ -81,7 +81,7 @@ func (o *GetFedCmParametersResponse) GetProviders() []Provider { // GetProvidersOk returns a tuple with the Providers field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *GetFedCmParametersResponse) GetProvidersOk() ([]Provider, bool) { +func (o *CreateFedcmFlowResponse) GetProvidersOk() ([]Provider, bool) { if o == nil || o.Providers == nil { return nil, false } @@ -89,7 +89,7 @@ func (o *GetFedCmParametersResponse) GetProvidersOk() ([]Provider, bool) { } // HasProviders returns a boolean if a field has been set. -func (o *GetFedCmParametersResponse) HasProviders() bool { +func (o *CreateFedcmFlowResponse) HasProviders() bool { if o != nil && o.Providers != nil { return true } @@ -98,11 +98,11 @@ func (o *GetFedCmParametersResponse) HasProviders() bool { } // SetProviders gets a reference to the given []Provider and assigns it to the Providers field. -func (o *GetFedCmParametersResponse) SetProviders(v []Provider) { +func (o *CreateFedcmFlowResponse) SetProviders(v []Provider) { o.Providers = v } -func (o GetFedCmParametersResponse) MarshalJSON() ([]byte, error) { +func (o CreateFedcmFlowResponse) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken @@ -113,38 +113,38 @@ func (o GetFedCmParametersResponse) MarshalJSON() ([]byte, error) { return json.Marshal(toSerialize) } -type NullableGetFedCmParametersResponse struct { - value *GetFedCmParametersResponse +type NullableCreateFedcmFlowResponse struct { + value *CreateFedcmFlowResponse isSet bool } -func (v NullableGetFedCmParametersResponse) Get() *GetFedCmParametersResponse { +func (v NullableCreateFedcmFlowResponse) Get() *CreateFedcmFlowResponse { return v.value } -func (v *NullableGetFedCmParametersResponse) Set(val *GetFedCmParametersResponse) { +func (v *NullableCreateFedcmFlowResponse) Set(val *CreateFedcmFlowResponse) { v.value = val v.isSet = true } -func (v NullableGetFedCmParametersResponse) IsSet() bool { +func (v NullableCreateFedcmFlowResponse) IsSet() bool { return v.isSet } -func (v *NullableGetFedCmParametersResponse) Unset() { +func (v *NullableCreateFedcmFlowResponse) Unset() { v.value = nil v.isSet = false } -func NewNullableGetFedCmParametersResponse(val *GetFedCmParametersResponse) *NullableGetFedCmParametersResponse { - return &NullableGetFedCmParametersResponse{value: val, isSet: true} +func NewNullableCreateFedcmFlowResponse(val *CreateFedcmFlowResponse) *NullableCreateFedcmFlowResponse { + return &NullableCreateFedcmFlowResponse{value: val, isSet: true} } -func (v NullableGetFedCmParametersResponse) MarshalJSON() ([]byte, error) { +func (v NullableCreateFedcmFlowResponse) MarshalJSON() ([]byte, error) { return json.Marshal(v.value) } -func (v *NullableGetFedCmParametersResponse) UnmarshalJSON(src []byte) error { +func (v *NullableCreateFedcmFlowResponse) UnmarshalJSON(src []byte) error { v.isSet = true return json.Unmarshal(src, &v.value) } diff --git a/internal/client-go/model_submit_fedcm_token_body.go b/internal/client-go/model_update_fedcm_flow_body.go similarity index 63% rename from internal/client-go/model_submit_fedcm_token_body.go rename to internal/client-go/model_update_fedcm_flow_body.go index a8032c3a8cce..2d630d8ece53 100644 --- a/internal/client-go/model_submit_fedcm_token_body.go +++ b/internal/client-go/model_update_fedcm_flow_body.go @@ -15,8 +15,8 @@ import ( "encoding/json" ) -// SubmitFedcmTokenBody struct for SubmitFedcmTokenBody -type SubmitFedcmTokenBody struct { +// UpdateFedcmFlowBody struct for UpdateFedcmFlowBody +type UpdateFedcmFlowBody struct { // CSRFToken is the anti-CSRF token. CsrfToken string `json:"csrf_token"` // Nonce is the nonce that was used in the `navigator.credentials.get` call. If specified, it must match the `nonce` claim in the token. @@ -25,27 +25,27 @@ type SubmitFedcmTokenBody struct { Token string `json:"token"` } -// NewSubmitFedcmTokenBody instantiates a new SubmitFedcmTokenBody object +// NewUpdateFedcmFlowBody instantiates a new UpdateFedcmFlowBody object // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewSubmitFedcmTokenBody(csrfToken string, token string) *SubmitFedcmTokenBody { - this := SubmitFedcmTokenBody{} +func NewUpdateFedcmFlowBody(csrfToken string, token string) *UpdateFedcmFlowBody { + this := UpdateFedcmFlowBody{} this.CsrfToken = csrfToken this.Token = token return &this } -// NewSubmitFedcmTokenBodyWithDefaults instantiates a new SubmitFedcmTokenBody object +// NewUpdateFedcmFlowBodyWithDefaults instantiates a new UpdateFedcmFlowBody object // This constructor will only assign default values to properties that have it defined, // but it doesn't guarantee that properties required by API are set -func NewSubmitFedcmTokenBodyWithDefaults() *SubmitFedcmTokenBody { - this := SubmitFedcmTokenBody{} +func NewUpdateFedcmFlowBodyWithDefaults() *UpdateFedcmFlowBody { + this := UpdateFedcmFlowBody{} return &this } // GetCsrfToken returns the CsrfToken field value -func (o *SubmitFedcmTokenBody) GetCsrfToken() string { +func (o *UpdateFedcmFlowBody) GetCsrfToken() string { if o == nil { var ret string return ret @@ -56,7 +56,7 @@ func (o *SubmitFedcmTokenBody) GetCsrfToken() string { // GetCsrfTokenOk returns a tuple with the CsrfToken field value // and a boolean to check if the value has been set. -func (o *SubmitFedcmTokenBody) GetCsrfTokenOk() (*string, bool) { +func (o *UpdateFedcmFlowBody) GetCsrfTokenOk() (*string, bool) { if o == nil { return nil, false } @@ -64,12 +64,12 @@ func (o *SubmitFedcmTokenBody) GetCsrfTokenOk() (*string, bool) { } // SetCsrfToken sets field value -func (o *SubmitFedcmTokenBody) SetCsrfToken(v string) { +func (o *UpdateFedcmFlowBody) SetCsrfToken(v string) { o.CsrfToken = v } // GetNonce returns the Nonce field value if set, zero value otherwise. -func (o *SubmitFedcmTokenBody) GetNonce() string { +func (o *UpdateFedcmFlowBody) GetNonce() string { if o == nil || o.Nonce == nil { var ret string return ret @@ -79,7 +79,7 @@ func (o *SubmitFedcmTokenBody) GetNonce() string { // GetNonceOk returns a tuple with the Nonce field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *SubmitFedcmTokenBody) GetNonceOk() (*string, bool) { +func (o *UpdateFedcmFlowBody) GetNonceOk() (*string, bool) { if o == nil || o.Nonce == nil { return nil, false } @@ -87,7 +87,7 @@ func (o *SubmitFedcmTokenBody) GetNonceOk() (*string, bool) { } // HasNonce returns a boolean if a field has been set. -func (o *SubmitFedcmTokenBody) HasNonce() bool { +func (o *UpdateFedcmFlowBody) HasNonce() bool { if o != nil && o.Nonce != nil { return true } @@ -96,12 +96,12 @@ func (o *SubmitFedcmTokenBody) HasNonce() bool { } // SetNonce gets a reference to the given string and assigns it to the Nonce field. -func (o *SubmitFedcmTokenBody) SetNonce(v string) { +func (o *UpdateFedcmFlowBody) SetNonce(v string) { o.Nonce = &v } // GetToken returns the Token field value -func (o *SubmitFedcmTokenBody) GetToken() string { +func (o *UpdateFedcmFlowBody) GetToken() string { if o == nil { var ret string return ret @@ -112,7 +112,7 @@ func (o *SubmitFedcmTokenBody) GetToken() string { // GetTokenOk returns a tuple with the Token field value // and a boolean to check if the value has been set. -func (o *SubmitFedcmTokenBody) GetTokenOk() (*string, bool) { +func (o *UpdateFedcmFlowBody) GetTokenOk() (*string, bool) { if o == nil { return nil, false } @@ -120,11 +120,11 @@ func (o *SubmitFedcmTokenBody) GetTokenOk() (*string, bool) { } // SetToken sets field value -func (o *SubmitFedcmTokenBody) SetToken(v string) { +func (o *UpdateFedcmFlowBody) SetToken(v string) { o.Token = v } -func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { +func (o UpdateFedcmFlowBody) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} if true { toSerialize["csrf_token"] = o.CsrfToken @@ -138,38 +138,38 @@ func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { return json.Marshal(toSerialize) } -type NullableSubmitFedcmTokenBody struct { - value *SubmitFedcmTokenBody +type NullableUpdateFedcmFlowBody struct { + value *UpdateFedcmFlowBody isSet bool } -func (v NullableSubmitFedcmTokenBody) Get() *SubmitFedcmTokenBody { +func (v NullableUpdateFedcmFlowBody) Get() *UpdateFedcmFlowBody { return v.value } -func (v *NullableSubmitFedcmTokenBody) Set(val *SubmitFedcmTokenBody) { +func (v *NullableUpdateFedcmFlowBody) Set(val *UpdateFedcmFlowBody) { v.value = val v.isSet = true } -func (v NullableSubmitFedcmTokenBody) IsSet() bool { +func (v NullableUpdateFedcmFlowBody) IsSet() bool { return v.isSet } -func (v *NullableSubmitFedcmTokenBody) Unset() { +func (v *NullableUpdateFedcmFlowBody) Unset() { v.value = nil v.isSet = false } -func NewNullableSubmitFedcmTokenBody(val *SubmitFedcmTokenBody) *NullableSubmitFedcmTokenBody { - return &NullableSubmitFedcmTokenBody{value: val, isSet: true} +func NewNullableUpdateFedcmFlowBody(val *UpdateFedcmFlowBody) *NullableUpdateFedcmFlowBody { + return &NullableUpdateFedcmFlowBody{value: val, isSet: true} } -func (v NullableSubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { +func (v NullableUpdateFedcmFlowBody) MarshalJSON() ([]byte, error) { return json.Marshal(v.value) } -func (v *NullableSubmitFedcmTokenBody) UnmarshalJSON(src []byte) error { +func (v *NullableUpdateFedcmFlowBody) UnmarshalJSON(src []byte) error { v.isSet = true return json.Unmarshal(src, &v.value) } diff --git a/internal/httpclient/.openapi-generator/FILES b/internal/httpclient/.openapi-generator/FILES index 304b5b327fb8..e5608d3b70a9 100644 --- a/internal/httpclient/.openapi-generator/FILES +++ b/internal/httpclient/.openapi-generator/FILES @@ -24,6 +24,7 @@ docs/ContinueWithVerificationUiFlow.md docs/CourierAPI.md docs/CourierMessageStatus.md docs/CourierMessageType.md +docs/CreateFedcmFlowResponse.md docs/CreateIdentityBody.md docs/CreateRecoveryCodeForIdentityBody.md docs/CreateRecoveryLinkForIdentityBody.md @@ -35,7 +36,6 @@ docs/ErrorGeneric.md docs/FlowError.md docs/FrontendAPI.md docs/GenericError.md -docs/GetFedCmParametersResponse.md docs/GetVersion200Response.md docs/HealthNotReadyStatus.md docs/HealthStatus.md @@ -85,7 +85,6 @@ docs/SessionAuthenticationMethod.md docs/SessionDevice.md docs/SettingsFlow.md docs/SettingsFlowState.md -docs/SubmitFedcmTokenBody.md docs/SuccessfulCodeExchangeResponse.md docs/SuccessfulNativeLogin.md docs/SuccessfulNativeRegistration.md @@ -101,6 +100,7 @@ docs/UiNodeMeta.md docs/UiNodeScriptAttributes.md docs/UiNodeTextAttributes.md docs/UiText.md +docs/UpdateFedcmFlowBody.md docs/UpdateIdentityBody.md docs/UpdateLoginFlowBody.md docs/UpdateLoginFlowWithCodeMethod.md @@ -153,6 +153,7 @@ model_continue_with_verification_ui.go model_continue_with_verification_ui_flow.go model_courier_message_status.go model_courier_message_type.go +model_create_fedcm_flow_response.go model_create_identity_body.go model_create_recovery_code_for_identity_body.go model_create_recovery_link_for_identity_body.go @@ -163,7 +164,6 @@ model_error_flow_replaced.go model_error_generic.go model_flow_error.go model_generic_error.go -model_get_fed_cm_parameters_response.go model_get_version_200_response.go model_health_not_ready_status.go model_health_status.go @@ -211,7 +211,6 @@ model_session_authentication_method.go model_session_device.go model_settings_flow.go model_settings_flow_state.go -model_submit_fedcm_token_body.go model_successful_code_exchange_response.go model_successful_native_login.go model_successful_native_registration.go @@ -227,6 +226,7 @@ model_ui_node_meta.go model_ui_node_script_attributes.go model_ui_node_text_attributes.go model_ui_text.go +model_update_fedcm_flow_body.go model_update_identity_body.go model_update_login_flow_body.go model_update_login_flow_with_code_method.go diff --git a/internal/httpclient/README.md b/internal/httpclient/README.md index e9657b0432f8..b418e308083f 100644 --- a/internal/httpclient/README.md +++ b/internal/httpclient/README.md @@ -87,6 +87,7 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**CreateBrowserRegistrationFlow**](docs/FrontendAPI.md#createbrowserregistrationflow) | **Get** /self-service/registration/browser | Create Registration Flow for Browsers *FrontendAPI* | [**CreateBrowserSettingsFlow**](docs/FrontendAPI.md#createbrowsersettingsflow) | **Get** /self-service/settings/browser | Create Settings Flow for Browsers *FrontendAPI* | [**CreateBrowserVerificationFlow**](docs/FrontendAPI.md#createbrowserverificationflow) | **Get** /self-service/verification/browser | Create Verification Flow for Browser Clients +*FrontendAPI* | [**CreateFedcmFlow**](docs/FrontendAPI.md#createfedcmflow) | **Get** /self-service/fed-cm/parameters | Get FedCM Parameters *FrontendAPI* | [**CreateNativeLoginFlow**](docs/FrontendAPI.md#createnativeloginflow) | **Get** /self-service/login/api | Create Login Flow for Native Apps *FrontendAPI* | [**CreateNativeRecoveryFlow**](docs/FrontendAPI.md#createnativerecoveryflow) | **Get** /self-service/recovery/api | Create Recovery Flow for Native Apps *FrontendAPI* | [**CreateNativeRegistrationFlow**](docs/FrontendAPI.md#createnativeregistrationflow) | **Get** /self-service/registration/api | Create Registration Flow for Native Apps @@ -95,7 +96,6 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**DisableMyOtherSessions**](docs/FrontendAPI.md#disablemyothersessions) | **Delete** /sessions | Disable my other sessions *FrontendAPI* | [**DisableMySession**](docs/FrontendAPI.md#disablemysession) | **Delete** /sessions/{id} | Disable one of my sessions *FrontendAPI* | [**ExchangeSessionToken**](docs/FrontendAPI.md#exchangesessiontoken) | **Get** /sessions/token-exchange | Exchange Session Token -*FrontendAPI* | [**GetFedcmParameters**](docs/FrontendAPI.md#getfedcmparameters) | **Get** /self-service/fed-cm/parameters | Get FedCM Parameters *FrontendAPI* | [**GetFlowError**](docs/FrontendAPI.md#getflowerror) | **Get** /self-service/errors | Get User-Flow Errors *FrontendAPI* | [**GetLoginFlow**](docs/FrontendAPI.md#getloginflow) | **Get** /self-service/login/flows | Get Login Flow *FrontendAPI* | [**GetRecoveryFlow**](docs/FrontendAPI.md#getrecoveryflow) | **Get** /self-service/recovery/flows | Get Recovery Flow @@ -105,8 +105,8 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**GetWebAuthnJavaScript**](docs/FrontendAPI.md#getwebauthnjavascript) | **Get** /.well-known/ory/webauthn.js | Get WebAuthn JavaScript *FrontendAPI* | [**ListMySessions**](docs/FrontendAPI.md#listmysessions) | **Get** /sessions | Get My Active Sessions *FrontendAPI* | [**PerformNativeLogout**](docs/FrontendAPI.md#performnativelogout) | **Delete** /self-service/logout/api | Perform Logout for Native Apps -*FrontendAPI* | [**SubmitFedcmToken**](docs/FrontendAPI.md#submitfedcmtoken) | **Post** /self-service/fed-cm/token | Submit a FedCM token *FrontendAPI* | [**ToSession**](docs/FrontendAPI.md#tosession) | **Get** /sessions/whoami | Check Who the Current HTTP Session Belongs To +*FrontendAPI* | [**UpdateFedcmFlow**](docs/FrontendAPI.md#updatefedcmflow) | **Post** /self-service/fed-cm/token | Submit a FedCM token *FrontendAPI* | [**UpdateLoginFlow**](docs/FrontendAPI.md#updateloginflow) | **Post** /self-service/login | Submit a Login Flow *FrontendAPI* | [**UpdateLogoutFlow**](docs/FrontendAPI.md#updatelogoutflow) | **Get** /self-service/logout | Update Logout Flow *FrontendAPI* | [**UpdateRecoveryFlow**](docs/FrontendAPI.md#updaterecoveryflow) | **Post** /self-service/recovery | Update Recovery Flow @@ -152,6 +152,7 @@ Class | Method | HTTP request | Description - [ContinueWithVerificationUiFlow](docs/ContinueWithVerificationUiFlow.md) - [CourierMessageStatus](docs/CourierMessageStatus.md) - [CourierMessageType](docs/CourierMessageType.md) + - [CreateFedcmFlowResponse](docs/CreateFedcmFlowResponse.md) - [CreateIdentityBody](docs/CreateIdentityBody.md) - [CreateRecoveryCodeForIdentityBody](docs/CreateRecoveryCodeForIdentityBody.md) - [CreateRecoveryLinkForIdentityBody](docs/CreateRecoveryLinkForIdentityBody.md) @@ -162,7 +163,6 @@ Class | Method | HTTP request | Description - [ErrorGeneric](docs/ErrorGeneric.md) - [FlowError](docs/FlowError.md) - [GenericError](docs/GenericError.md) - - [GetFedCmParametersResponse](docs/GetFedCmParametersResponse.md) - [GetVersion200Response](docs/GetVersion200Response.md) - [HealthNotReadyStatus](docs/HealthNotReadyStatus.md) - [HealthStatus](docs/HealthStatus.md) @@ -210,7 +210,6 @@ Class | Method | HTTP request | Description - [SessionDevice](docs/SessionDevice.md) - [SettingsFlow](docs/SettingsFlow.md) - [SettingsFlowState](docs/SettingsFlowState.md) - - [SubmitFedcmTokenBody](docs/SubmitFedcmTokenBody.md) - [SuccessfulCodeExchangeResponse](docs/SuccessfulCodeExchangeResponse.md) - [SuccessfulNativeLogin](docs/SuccessfulNativeLogin.md) - [SuccessfulNativeRegistration](docs/SuccessfulNativeRegistration.md) @@ -226,6 +225,7 @@ Class | Method | HTTP request | Description - [UiNodeScriptAttributes](docs/UiNodeScriptAttributes.md) - [UiNodeTextAttributes](docs/UiNodeTextAttributes.md) - [UiText](docs/UiText.md) + - [UpdateFedcmFlowBody](docs/UpdateFedcmFlowBody.md) - [UpdateIdentityBody](docs/UpdateIdentityBody.md) - [UpdateLoginFlowBody](docs/UpdateLoginFlowBody.md) - [UpdateLoginFlowWithCodeMethod](docs/UpdateLoginFlowWithCodeMethod.md) diff --git a/internal/httpclient/api_frontend.go b/internal/httpclient/api_frontend.go index 97f0ca8b82c7..cd243b065b4b 100644 --- a/internal/httpclient/api_frontend.go +++ b/internal/httpclient/api_frontend.go @@ -201,6 +201,20 @@ type FrontendAPI interface { */ CreateBrowserVerificationFlowExecute(r FrontendAPIApiCreateBrowserVerificationFlowRequest) (*VerificationFlow, *http.Response, error) + /* + * CreateFedcmFlow Get FedCM Parameters + * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiCreateFedcmFlowRequest + */ + CreateFedcmFlow(ctx context.Context) FrontendAPIApiCreateFedcmFlowRequest + + /* + * CreateFedcmFlowExecute executes the request + * @return CreateFedcmFlowResponse + */ + CreateFedcmFlowExecute(r FrontendAPIApiCreateFedcmFlowRequest) (*CreateFedcmFlowResponse, *http.Response, error) + /* * CreateNativeLoginFlow Create Login Flow for Native Apps * This endpoint initiates a login flow for native apps that do not use a browser, such as mobile devices, smart TVs, and so on. @@ -394,20 +408,6 @@ type FrontendAPI interface { */ ExchangeSessionTokenExecute(r FrontendAPIApiExchangeSessionTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) - /* - * GetFedcmParameters Get FedCM Parameters - * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. - * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). - * @return FrontendAPIApiGetFedcmParametersRequest - */ - GetFedcmParameters(ctx context.Context) FrontendAPIApiGetFedcmParametersRequest - - /* - * GetFedcmParametersExecute executes the request - * @return GetFedCmParametersResponse - */ - GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetFedCmParametersResponse, *http.Response, error) - /* * GetFlowError Get User-Flow Errors * This endpoint returns the error associated with a user-facing self service errors. @@ -651,23 +651,6 @@ type FrontendAPI interface { */ PerformNativeLogoutExecute(r FrontendAPIApiPerformNativeLogoutRequest) (*http.Response, error) - /* - * SubmitFedcmToken Submit a FedCM token - * Use this endpoint to submit a token from a FedCM provider through - `navigator.credentials.get` and log the user in. The parameters from - `navigator.credentials.get` must have come from `GET - self-service/fed-cm/parameters`. - * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). - * @return FrontendAPIApiSubmitFedcmTokenRequest - */ - SubmitFedcmToken(ctx context.Context) FrontendAPIApiSubmitFedcmTokenRequest - - /* - * SubmitFedcmTokenExecute executes the request - * @return SuccessfulNativeLogin - */ - SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcmTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) - /* * ToSession Check Who the Current HTTP Session Belongs To * Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated. @@ -740,6 +723,23 @@ type FrontendAPI interface { */ ToSessionExecute(r FrontendAPIApiToSessionRequest) (*Session, *http.Response, error) + /* + * UpdateFedcmFlow Submit a FedCM token + * Use this endpoint to submit a token from a FedCM provider through + `navigator.credentials.get` and log the user in. The parameters from + `navigator.credentials.get` must have come from `GET + self-service/fed-cm/parameters`. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiUpdateFedcmFlowRequest + */ + UpdateFedcmFlow(ctx context.Context) FrontendAPIApiUpdateFedcmFlowRequest + + /* + * UpdateFedcmFlowExecute executes the request + * @return SuccessfulNativeLogin + */ + UpdateFedcmFlowExecute(r FrontendAPIApiUpdateFedcmFlowRequest) (*SuccessfulNativeLogin, *http.Response, error) + /* * UpdateLoginFlow Submit a Login Flow * Use this endpoint to complete a login flow. This endpoint @@ -1921,6 +1921,124 @@ func (a *FrontendAPIService) CreateBrowserVerificationFlowExecute(r FrontendAPIA return localVarReturnValue, localVarHTTPResponse, nil } +type FrontendAPIApiCreateFedcmFlowRequest struct { + ctx context.Context + ApiService FrontendAPI +} + +func (r FrontendAPIApiCreateFedcmFlowRequest) Execute() (*CreateFedcmFlowResponse, *http.Response, error) { + return r.ApiService.CreateFedcmFlowExecute(r) +} + +/* + * CreateFedcmFlow Get FedCM Parameters + * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiCreateFedcmFlowRequest + */ +func (a *FrontendAPIService) CreateFedcmFlow(ctx context.Context) FrontendAPIApiCreateFedcmFlowRequest { + return FrontendAPIApiCreateFedcmFlowRequest{ + ApiService: a, + ctx: ctx, + } +} + +/* + * Execute executes the request + * @return CreateFedcmFlowResponse + */ +func (a *FrontendAPIService) CreateFedcmFlowExecute(r FrontendAPIApiCreateFedcmFlowRequest) (*CreateFedcmFlowResponse, *http.Response, error) { + var ( + localVarHTTPMethod = http.MethodGet + localVarPostBody interface{} + localVarFormFileName string + localVarFileName string + localVarFileBytes []byte + localVarReturnValue *CreateFedcmFlowResponse + ) + + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.CreateFedcmFlow") + if err != nil { + return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} + } + + localVarPath := localBasePath + "/self-service/fed-cm/parameters" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := url.Values{} + localVarFormParams := url.Values{} + + // to determine the Content-Type header + localVarHTTPContentTypes := []string{} + + // set Content-Type header + localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) + if localVarHTTPContentType != "" { + localVarHeaderParams["Content-Type"] = localVarHTTPContentType + } + + // to determine the Accept header + localVarHTTPHeaderAccepts := []string{"application/json"} + + // set Accept header + localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts) + if localVarHTTPHeaderAccept != "" { + localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept + } + req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.client.callAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024)) + localVarHTTPResponse.Body.Close() + localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody)) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 400 { + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + type FrontendAPIApiCreateNativeLoginFlowRequest struct { ctx context.Context ApiService FrontendAPI @@ -3135,124 +3253,6 @@ func (a *FrontendAPIService) ExchangeSessionTokenExecute(r FrontendAPIApiExchang return localVarReturnValue, localVarHTTPResponse, nil } -type FrontendAPIApiGetFedcmParametersRequest struct { - ctx context.Context - ApiService FrontendAPI -} - -func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetFedCmParametersResponse, *http.Response, error) { - return r.ApiService.GetFedcmParametersExecute(r) -} - -/* - * GetFedcmParameters Get FedCM Parameters - * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. - * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). - * @return FrontendAPIApiGetFedcmParametersRequest - */ -func (a *FrontendAPIService) GetFedcmParameters(ctx context.Context) FrontendAPIApiGetFedcmParametersRequest { - return FrontendAPIApiGetFedcmParametersRequest{ - ApiService: a, - ctx: ctx, - } -} - -/* - * Execute executes the request - * @return GetFedCmParametersResponse - */ -func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetFedCmParametersResponse, *http.Response, error) { - var ( - localVarHTTPMethod = http.MethodGet - localVarPostBody interface{} - localVarFormFileName string - localVarFileName string - localVarFileBytes []byte - localVarReturnValue *GetFedCmParametersResponse - ) - - localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.GetFedcmParameters") - if err != nil { - return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} - } - - localVarPath := localBasePath + "/self-service/fed-cm/parameters" - - localVarHeaderParams := make(map[string]string) - localVarQueryParams := url.Values{} - localVarFormParams := url.Values{} - - // to determine the Content-Type header - localVarHTTPContentTypes := []string{} - - // set Content-Type header - localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) - if localVarHTTPContentType != "" { - localVarHeaderParams["Content-Type"] = localVarHTTPContentType - } - - // to determine the Accept header - localVarHTTPHeaderAccepts := []string{"application/json"} - - // set Accept header - localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts) - if localVarHTTPHeaderAccept != "" { - localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept - } - req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) - if err != nil { - return localVarReturnValue, nil, err - } - - localVarHTTPResponse, err := a.client.callAPI(req) - if err != nil || localVarHTTPResponse == nil { - return localVarReturnValue, localVarHTTPResponse, err - } - - localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024)) - localVarHTTPResponse.Body.Close() - localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody)) - if err != nil { - return localVarReturnValue, localVarHTTPResponse, err - } - - if localVarHTTPResponse.StatusCode >= 300 { - newErr := &GenericOpenAPIError{ - body: localVarBody, - error: localVarHTTPResponse.Status, - } - if localVarHTTPResponse.StatusCode == 400 { - var v ErrorGeneric - err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) - if err != nil { - newErr.error = err.Error() - return localVarReturnValue, localVarHTTPResponse, newErr - } - newErr.model = v - return localVarReturnValue, localVarHTTPResponse, newErr - } - var v ErrorGeneric - err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) - if err != nil { - newErr.error = err.Error() - return localVarReturnValue, localVarHTTPResponse, newErr - } - newErr.model = v - return localVarReturnValue, localVarHTTPResponse, newErr - } - - err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) - if err != nil { - newErr := &GenericOpenAPIError{ - body: localVarBody, - error: err.Error(), - } - return localVarReturnValue, localVarHTTPResponse, newErr - } - - return localVarReturnValue, localVarHTTPResponse, nil -} - type FrontendAPIApiGetFlowErrorRequest struct { ctx context.Context ApiService FrontendAPI @@ -4688,33 +4688,98 @@ func (a *FrontendAPIService) PerformNativeLogoutExecute(r FrontendAPIApiPerformN return localVarHTTPResponse, nil } -type FrontendAPIApiSubmitFedcmTokenRequest struct { - ctx context.Context - ApiService FrontendAPI - submitFedcmTokenBody *SubmitFedcmTokenBody +type FrontendAPIApiToSessionRequest struct { + ctx context.Context + ApiService FrontendAPI + xSessionToken *string + cookie *string + tokenizeAs *string } -func (r FrontendAPIApiSubmitFedcmTokenRequest) SubmitFedcmTokenBody(submitFedcmTokenBody SubmitFedcmTokenBody) FrontendAPIApiSubmitFedcmTokenRequest { - r.submitFedcmTokenBody = &submitFedcmTokenBody +func (r FrontendAPIApiToSessionRequest) XSessionToken(xSessionToken string) FrontendAPIApiToSessionRequest { + r.xSessionToken = &xSessionToken + return r +} +func (r FrontendAPIApiToSessionRequest) Cookie(cookie string) FrontendAPIApiToSessionRequest { + r.cookie = &cookie + return r +} +func (r FrontendAPIApiToSessionRequest) TokenizeAs(tokenizeAs string) FrontendAPIApiToSessionRequest { + r.tokenizeAs = &tokenizeAs return r } -func (r FrontendAPIApiSubmitFedcmTokenRequest) Execute() (*SuccessfulNativeLogin, *http.Response, error) { - return r.ApiService.SubmitFedcmTokenExecute(r) +func (r FrontendAPIApiToSessionRequest) Execute() (*Session, *http.Response, error) { + return r.ApiService.ToSessionExecute(r) } /* - - SubmitFedcmToken Submit a FedCM token - - Use this endpoint to submit a token from a FedCM provider through + - ToSession Check Who the Current HTTP Session Belongs To + - Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated. -`navigator.credentials.get` and log the user in. The parameters from -`navigator.credentials.get` must have come from `GET -self-service/fed-cm/parameters`. +Returns a session object in the body or 401 if the credentials are invalid or no credentials were sent. +When the request it successful it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header +in the response. + +If you call this endpoint from a server-side application, you must forward the HTTP Cookie Header to this endpoint: + +```js +pseudo-code example +router.get('/protected-endpoint', async function (req, res) { +const session = await client.toSession(undefined, req.header('cookie')) + +console.log(session) +}) +``` + +When calling this endpoint from a non-browser application (e.g. mobile app) you must include the session token: + +```js +pseudo-code example +... +const session = await client.toSession("the-session-token") + +console.log(session) +``` + +When using a token template, the token is included in the `tokenized` field of the session. + +```js +pseudo-code example +... +const session = await client.toSession("the-session-token", { tokenize_as: "example-jwt-template" }) + +console.log(session.tokenized) // The JWT +``` + +Depending on your configuration this endpoint might return a 403 status code if the session has a lower Authenticator +Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn +credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user +to sign in with the second factor or change the configuration. + +This endpoint is useful for: + +AJAX calls. Remember to send credentials and set up CORS correctly! +Reverse proxies and API Gateways +Server-side calls - use the `X-Session-Token` header! + +This endpoint authenticates users by checking: + +if the `Cookie` HTTP header was set containing an Ory Kratos Session Cookie; +if the `Authorization: bearer ` HTTP header was set with a valid Ory Kratos Session Token; +if the `X-Session-Token` HTTP header was set with a valid Ory Kratos Session Token. + +If none of these headers are set or the cookie or token are invalid, the endpoint returns a HTTP 401 status code. + +As explained above, this request may fail due to several reasons. The `error.id` can be one of: + +`session_inactive`: No active session was found in the request (e.g. no Ory Session Cookie / Ory Session Token). +`session_aal2_required`: An active session was found but it does not fulfil the Authenticator Assurance Level, implying that the session must (e.g.) authenticate the second factor. - @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). - - @return FrontendAPIApiSubmitFedcmTokenRequest + - @return FrontendAPIApiToSessionRequest */ -func (a *FrontendAPIService) SubmitFedcmToken(ctx context.Context) FrontendAPIApiSubmitFedcmTokenRequest { - return FrontendAPIApiSubmitFedcmTokenRequest{ +func (a *FrontendAPIService) ToSession(ctx context.Context) FrontendAPIApiToSessionRequest { + return FrontendAPIApiToSessionRequest{ ApiService: a, ctx: ctx, } @@ -4722,34 +4787,34 @@ func (a *FrontendAPIService) SubmitFedcmToken(ctx context.Context) FrontendAPIAp /* * Execute executes the request - * @return SuccessfulNativeLogin + * @return Session */ -func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcmTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) { +func (a *FrontendAPIService) ToSessionExecute(r FrontendAPIApiToSessionRequest) (*Session, *http.Response, error) { var ( - localVarHTTPMethod = http.MethodPost + localVarHTTPMethod = http.MethodGet localVarPostBody interface{} localVarFormFileName string localVarFileName string localVarFileBytes []byte - localVarReturnValue *SuccessfulNativeLogin + localVarReturnValue *Session ) - localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.SubmitFedcmToken") + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.ToSession") if err != nil { return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} } - localVarPath := localBasePath + "/self-service/fed-cm/token" + localVarPath := localBasePath + "/sessions/whoami" localVarHeaderParams := make(map[string]string) localVarQueryParams := url.Values{} localVarFormParams := url.Values{} - if r.submitFedcmTokenBody == nil { - return localVarReturnValue, nil, reportError("submitFedcmTokenBody is required and must be specified") - } + if r.tokenizeAs != nil { + localVarQueryParams.Add("tokenize_as", parameterToString(*r.tokenizeAs, "")) + } // to determine the Content-Type header - localVarHTTPContentTypes := []string{"application/json", "application/x-www-form-urlencoded"} + localVarHTTPContentTypes := []string{} // set Content-Type header localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) @@ -4765,8 +4830,12 @@ func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcm if localVarHTTPHeaderAccept != "" { localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept } - // body params - localVarPostBody = r.submitFedcmTokenBody + if r.xSessionToken != nil { + localVarHeaderParams["X-Session-Token"] = parameterToString(*r.xSessionToken, "") + } + if r.cookie != nil { + localVarHeaderParams["Cookie"] = parameterToString(*r.cookie, "") + } req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) if err != nil { return localVarReturnValue, nil, err @@ -4789,17 +4858,7 @@ func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcm body: localVarBody, error: localVarHTTPResponse.Status, } - if localVarHTTPResponse.StatusCode == 400 { - var v LoginFlow - err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) - if err != nil { - newErr.error = err.Error() - return localVarReturnValue, localVarHTTPResponse, newErr - } - newErr.model = v - return localVarReturnValue, localVarHTTPResponse, newErr - } - if localVarHTTPResponse.StatusCode == 410 { + if localVarHTTPResponse.StatusCode == 401 { var v ErrorGeneric err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) if err != nil { @@ -4809,8 +4868,8 @@ func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcm newErr.model = v return localVarReturnValue, localVarHTTPResponse, newErr } - if localVarHTTPResponse.StatusCode == 422 { - var v ErrorBrowserLocationChangeRequired + if localVarHTTPResponse.StatusCode == 403 { + var v ErrorGeneric err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) if err != nil { newErr.error = err.Error() @@ -4841,98 +4900,33 @@ func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcm return localVarReturnValue, localVarHTTPResponse, nil } -type FrontendAPIApiToSessionRequest struct { - ctx context.Context - ApiService FrontendAPI - xSessionToken *string - cookie *string - tokenizeAs *string +type FrontendAPIApiUpdateFedcmFlowRequest struct { + ctx context.Context + ApiService FrontendAPI + updateFedcmFlowBody *UpdateFedcmFlowBody } -func (r FrontendAPIApiToSessionRequest) XSessionToken(xSessionToken string) FrontendAPIApiToSessionRequest { - r.xSessionToken = &xSessionToken - return r -} -func (r FrontendAPIApiToSessionRequest) Cookie(cookie string) FrontendAPIApiToSessionRequest { - r.cookie = &cookie - return r -} -func (r FrontendAPIApiToSessionRequest) TokenizeAs(tokenizeAs string) FrontendAPIApiToSessionRequest { - r.tokenizeAs = &tokenizeAs +func (r FrontendAPIApiUpdateFedcmFlowRequest) UpdateFedcmFlowBody(updateFedcmFlowBody UpdateFedcmFlowBody) FrontendAPIApiUpdateFedcmFlowRequest { + r.updateFedcmFlowBody = &updateFedcmFlowBody return r } -func (r FrontendAPIApiToSessionRequest) Execute() (*Session, *http.Response, error) { - return r.ApiService.ToSessionExecute(r) +func (r FrontendAPIApiUpdateFedcmFlowRequest) Execute() (*SuccessfulNativeLogin, *http.Response, error) { + return r.ApiService.UpdateFedcmFlowExecute(r) } /* - - ToSession Check Who the Current HTTP Session Belongs To - - Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated. - -Returns a session object in the body or 401 if the credentials are invalid or no credentials were sent. -When the request it successful it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header -in the response. - -If you call this endpoint from a server-side application, you must forward the HTTP Cookie Header to this endpoint: - -```js -pseudo-code example -router.get('/protected-endpoint', async function (req, res) { -const session = await client.toSession(undefined, req.header('cookie')) - -console.log(session) -}) -``` - -When calling this endpoint from a non-browser application (e.g. mobile app) you must include the session token: - -```js -pseudo-code example -... -const session = await client.toSession("the-session-token") - -console.log(session) -``` - -When using a token template, the token is included in the `tokenized` field of the session. - -```js -pseudo-code example -... -const session = await client.toSession("the-session-token", { tokenize_as: "example-jwt-template" }) - -console.log(session.tokenized) // The JWT -``` - -Depending on your configuration this endpoint might return a 403 status code if the session has a lower Authenticator -Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn -credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user -to sign in with the second factor or change the configuration. - -This endpoint is useful for: - -AJAX calls. Remember to send credentials and set up CORS correctly! -Reverse proxies and API Gateways -Server-side calls - use the `X-Session-Token` header! - -This endpoint authenticates users by checking: - -if the `Cookie` HTTP header was set containing an Ory Kratos Session Cookie; -if the `Authorization: bearer ` HTTP header was set with a valid Ory Kratos Session Token; -if the `X-Session-Token` HTTP header was set with a valid Ory Kratos Session Token. - -If none of these headers are set or the cookie or token are invalid, the endpoint returns a HTTP 401 status code. - -As explained above, this request may fail due to several reasons. The `error.id` can be one of: + - UpdateFedcmFlow Submit a FedCM token + - Use this endpoint to submit a token from a FedCM provider through -`session_inactive`: No active session was found in the request (e.g. no Ory Session Cookie / Ory Session Token). -`session_aal2_required`: An active session was found but it does not fulfil the Authenticator Assurance Level, implying that the session must (e.g.) authenticate the second factor. +`navigator.credentials.get` and log the user in. The parameters from +`navigator.credentials.get` must have come from `GET +self-service/fed-cm/parameters`. - @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). - - @return FrontendAPIApiToSessionRequest + - @return FrontendAPIApiUpdateFedcmFlowRequest */ -func (a *FrontendAPIService) ToSession(ctx context.Context) FrontendAPIApiToSessionRequest { - return FrontendAPIApiToSessionRequest{ +func (a *FrontendAPIService) UpdateFedcmFlow(ctx context.Context) FrontendAPIApiUpdateFedcmFlowRequest { + return FrontendAPIApiUpdateFedcmFlowRequest{ ApiService: a, ctx: ctx, } @@ -4940,34 +4934,34 @@ func (a *FrontendAPIService) ToSession(ctx context.Context) FrontendAPIApiToSess /* * Execute executes the request - * @return Session + * @return SuccessfulNativeLogin */ -func (a *FrontendAPIService) ToSessionExecute(r FrontendAPIApiToSessionRequest) (*Session, *http.Response, error) { +func (a *FrontendAPIService) UpdateFedcmFlowExecute(r FrontendAPIApiUpdateFedcmFlowRequest) (*SuccessfulNativeLogin, *http.Response, error) { var ( - localVarHTTPMethod = http.MethodGet + localVarHTTPMethod = http.MethodPost localVarPostBody interface{} localVarFormFileName string localVarFileName string localVarFileBytes []byte - localVarReturnValue *Session + localVarReturnValue *SuccessfulNativeLogin ) - localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.ToSession") + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.UpdateFedcmFlow") if err != nil { return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} } - localVarPath := localBasePath + "/sessions/whoami" + localVarPath := localBasePath + "/self-service/fed-cm/token" localVarHeaderParams := make(map[string]string) localVarQueryParams := url.Values{} localVarFormParams := url.Values{} - - if r.tokenizeAs != nil { - localVarQueryParams.Add("tokenize_as", parameterToString(*r.tokenizeAs, "")) + if r.updateFedcmFlowBody == nil { + return localVarReturnValue, nil, reportError("updateFedcmFlowBody is required and must be specified") } + // to determine the Content-Type header - localVarHTTPContentTypes := []string{} + localVarHTTPContentTypes := []string{"application/json", "application/x-www-form-urlencoded"} // set Content-Type header localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) @@ -4983,12 +4977,8 @@ func (a *FrontendAPIService) ToSessionExecute(r FrontendAPIApiToSessionRequest) if localVarHTTPHeaderAccept != "" { localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept } - if r.xSessionToken != nil { - localVarHeaderParams["X-Session-Token"] = parameterToString(*r.xSessionToken, "") - } - if r.cookie != nil { - localVarHeaderParams["Cookie"] = parameterToString(*r.cookie, "") - } + // body params + localVarPostBody = r.updateFedcmFlowBody req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) if err != nil { return localVarReturnValue, nil, err @@ -5011,8 +5001,8 @@ func (a *FrontendAPIService) ToSessionExecute(r FrontendAPIApiToSessionRequest) body: localVarBody, error: localVarHTTPResponse.Status, } - if localVarHTTPResponse.StatusCode == 401 { - var v ErrorGeneric + if localVarHTTPResponse.StatusCode == 400 { + var v LoginFlow err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) if err != nil { newErr.error = err.Error() @@ -5021,7 +5011,7 @@ func (a *FrontendAPIService) ToSessionExecute(r FrontendAPIApiToSessionRequest) newErr.model = v return localVarReturnValue, localVarHTTPResponse, newErr } - if localVarHTTPResponse.StatusCode == 403 { + if localVarHTTPResponse.StatusCode == 410 { var v ErrorGeneric err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) if err != nil { @@ -5031,6 +5021,16 @@ func (a *FrontendAPIService) ToSessionExecute(r FrontendAPIApiToSessionRequest) newErr.model = v return localVarReturnValue, localVarHTTPResponse, newErr } + if localVarHTTPResponse.StatusCode == 422 { + var v ErrorBrowserLocationChangeRequired + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } var v ErrorGeneric err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) if err != nil { diff --git a/internal/httpclient/model_get_fed_cm_parameters_response.go b/internal/httpclient/model_create_fedcm_flow_response.go similarity index 59% rename from internal/httpclient/model_get_fed_cm_parameters_response.go rename to internal/httpclient/model_create_fedcm_flow_response.go index 1563b7e2cee2..fdca32672c63 100644 --- a/internal/httpclient/model_get_fed_cm_parameters_response.go +++ b/internal/httpclient/model_create_fedcm_flow_response.go @@ -15,31 +15,31 @@ import ( "encoding/json" ) -// GetFedCmParametersResponse Contains a list of all available FedCM providers. -type GetFedCmParametersResponse struct { +// CreateFedcmFlowResponse Contains a list of all available FedCM providers. +type CreateFedcmFlowResponse struct { CsrfToken *string `json:"csrf_token,omitempty"` Providers []Provider `json:"providers,omitempty"` } -// NewGetFedCmParametersResponse instantiates a new GetFedCmParametersResponse object +// NewCreateFedcmFlowResponse instantiates a new CreateFedcmFlowResponse object // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewGetFedCmParametersResponse() *GetFedCmParametersResponse { - this := GetFedCmParametersResponse{} +func NewCreateFedcmFlowResponse() *CreateFedcmFlowResponse { + this := CreateFedcmFlowResponse{} return &this } -// NewGetFedCmParametersResponseWithDefaults instantiates a new GetFedCmParametersResponse object +// NewCreateFedcmFlowResponseWithDefaults instantiates a new CreateFedcmFlowResponse object // This constructor will only assign default values to properties that have it defined, // but it doesn't guarantee that properties required by API are set -func NewGetFedCmParametersResponseWithDefaults() *GetFedCmParametersResponse { - this := GetFedCmParametersResponse{} +func NewCreateFedcmFlowResponseWithDefaults() *CreateFedcmFlowResponse { + this := CreateFedcmFlowResponse{} return &this } // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. -func (o *GetFedCmParametersResponse) GetCsrfToken() string { +func (o *CreateFedcmFlowResponse) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { var ret string return ret @@ -49,7 +49,7 @@ func (o *GetFedCmParametersResponse) GetCsrfToken() string { // GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *GetFedCmParametersResponse) GetCsrfTokenOk() (*string, bool) { +func (o *CreateFedcmFlowResponse) GetCsrfTokenOk() (*string, bool) { if o == nil || o.CsrfToken == nil { return nil, false } @@ -57,7 +57,7 @@ func (o *GetFedCmParametersResponse) GetCsrfTokenOk() (*string, bool) { } // HasCsrfToken returns a boolean if a field has been set. -func (o *GetFedCmParametersResponse) HasCsrfToken() bool { +func (o *CreateFedcmFlowResponse) HasCsrfToken() bool { if o != nil && o.CsrfToken != nil { return true } @@ -66,12 +66,12 @@ func (o *GetFedCmParametersResponse) HasCsrfToken() bool { } // SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. -func (o *GetFedCmParametersResponse) SetCsrfToken(v string) { +func (o *CreateFedcmFlowResponse) SetCsrfToken(v string) { o.CsrfToken = &v } // GetProviders returns the Providers field value if set, zero value otherwise. -func (o *GetFedCmParametersResponse) GetProviders() []Provider { +func (o *CreateFedcmFlowResponse) GetProviders() []Provider { if o == nil || o.Providers == nil { var ret []Provider return ret @@ -81,7 +81,7 @@ func (o *GetFedCmParametersResponse) GetProviders() []Provider { // GetProvidersOk returns a tuple with the Providers field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *GetFedCmParametersResponse) GetProvidersOk() ([]Provider, bool) { +func (o *CreateFedcmFlowResponse) GetProvidersOk() ([]Provider, bool) { if o == nil || o.Providers == nil { return nil, false } @@ -89,7 +89,7 @@ func (o *GetFedCmParametersResponse) GetProvidersOk() ([]Provider, bool) { } // HasProviders returns a boolean if a field has been set. -func (o *GetFedCmParametersResponse) HasProviders() bool { +func (o *CreateFedcmFlowResponse) HasProviders() bool { if o != nil && o.Providers != nil { return true } @@ -98,11 +98,11 @@ func (o *GetFedCmParametersResponse) HasProviders() bool { } // SetProviders gets a reference to the given []Provider and assigns it to the Providers field. -func (o *GetFedCmParametersResponse) SetProviders(v []Provider) { +func (o *CreateFedcmFlowResponse) SetProviders(v []Provider) { o.Providers = v } -func (o GetFedCmParametersResponse) MarshalJSON() ([]byte, error) { +func (o CreateFedcmFlowResponse) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken @@ -113,38 +113,38 @@ func (o GetFedCmParametersResponse) MarshalJSON() ([]byte, error) { return json.Marshal(toSerialize) } -type NullableGetFedCmParametersResponse struct { - value *GetFedCmParametersResponse +type NullableCreateFedcmFlowResponse struct { + value *CreateFedcmFlowResponse isSet bool } -func (v NullableGetFedCmParametersResponse) Get() *GetFedCmParametersResponse { +func (v NullableCreateFedcmFlowResponse) Get() *CreateFedcmFlowResponse { return v.value } -func (v *NullableGetFedCmParametersResponse) Set(val *GetFedCmParametersResponse) { +func (v *NullableCreateFedcmFlowResponse) Set(val *CreateFedcmFlowResponse) { v.value = val v.isSet = true } -func (v NullableGetFedCmParametersResponse) IsSet() bool { +func (v NullableCreateFedcmFlowResponse) IsSet() bool { return v.isSet } -func (v *NullableGetFedCmParametersResponse) Unset() { +func (v *NullableCreateFedcmFlowResponse) Unset() { v.value = nil v.isSet = false } -func NewNullableGetFedCmParametersResponse(val *GetFedCmParametersResponse) *NullableGetFedCmParametersResponse { - return &NullableGetFedCmParametersResponse{value: val, isSet: true} +func NewNullableCreateFedcmFlowResponse(val *CreateFedcmFlowResponse) *NullableCreateFedcmFlowResponse { + return &NullableCreateFedcmFlowResponse{value: val, isSet: true} } -func (v NullableGetFedCmParametersResponse) MarshalJSON() ([]byte, error) { +func (v NullableCreateFedcmFlowResponse) MarshalJSON() ([]byte, error) { return json.Marshal(v.value) } -func (v *NullableGetFedCmParametersResponse) UnmarshalJSON(src []byte) error { +func (v *NullableCreateFedcmFlowResponse) UnmarshalJSON(src []byte) error { v.isSet = true return json.Unmarshal(src, &v.value) } diff --git a/internal/httpclient/model_submit_fedcm_token_body.go b/internal/httpclient/model_update_fedcm_flow_body.go similarity index 63% rename from internal/httpclient/model_submit_fedcm_token_body.go rename to internal/httpclient/model_update_fedcm_flow_body.go index a8032c3a8cce..2d630d8ece53 100644 --- a/internal/httpclient/model_submit_fedcm_token_body.go +++ b/internal/httpclient/model_update_fedcm_flow_body.go @@ -15,8 +15,8 @@ import ( "encoding/json" ) -// SubmitFedcmTokenBody struct for SubmitFedcmTokenBody -type SubmitFedcmTokenBody struct { +// UpdateFedcmFlowBody struct for UpdateFedcmFlowBody +type UpdateFedcmFlowBody struct { // CSRFToken is the anti-CSRF token. CsrfToken string `json:"csrf_token"` // Nonce is the nonce that was used in the `navigator.credentials.get` call. If specified, it must match the `nonce` claim in the token. @@ -25,27 +25,27 @@ type SubmitFedcmTokenBody struct { Token string `json:"token"` } -// NewSubmitFedcmTokenBody instantiates a new SubmitFedcmTokenBody object +// NewUpdateFedcmFlowBody instantiates a new UpdateFedcmFlowBody object // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewSubmitFedcmTokenBody(csrfToken string, token string) *SubmitFedcmTokenBody { - this := SubmitFedcmTokenBody{} +func NewUpdateFedcmFlowBody(csrfToken string, token string) *UpdateFedcmFlowBody { + this := UpdateFedcmFlowBody{} this.CsrfToken = csrfToken this.Token = token return &this } -// NewSubmitFedcmTokenBodyWithDefaults instantiates a new SubmitFedcmTokenBody object +// NewUpdateFedcmFlowBodyWithDefaults instantiates a new UpdateFedcmFlowBody object // This constructor will only assign default values to properties that have it defined, // but it doesn't guarantee that properties required by API are set -func NewSubmitFedcmTokenBodyWithDefaults() *SubmitFedcmTokenBody { - this := SubmitFedcmTokenBody{} +func NewUpdateFedcmFlowBodyWithDefaults() *UpdateFedcmFlowBody { + this := UpdateFedcmFlowBody{} return &this } // GetCsrfToken returns the CsrfToken field value -func (o *SubmitFedcmTokenBody) GetCsrfToken() string { +func (o *UpdateFedcmFlowBody) GetCsrfToken() string { if o == nil { var ret string return ret @@ -56,7 +56,7 @@ func (o *SubmitFedcmTokenBody) GetCsrfToken() string { // GetCsrfTokenOk returns a tuple with the CsrfToken field value // and a boolean to check if the value has been set. -func (o *SubmitFedcmTokenBody) GetCsrfTokenOk() (*string, bool) { +func (o *UpdateFedcmFlowBody) GetCsrfTokenOk() (*string, bool) { if o == nil { return nil, false } @@ -64,12 +64,12 @@ func (o *SubmitFedcmTokenBody) GetCsrfTokenOk() (*string, bool) { } // SetCsrfToken sets field value -func (o *SubmitFedcmTokenBody) SetCsrfToken(v string) { +func (o *UpdateFedcmFlowBody) SetCsrfToken(v string) { o.CsrfToken = v } // GetNonce returns the Nonce field value if set, zero value otherwise. -func (o *SubmitFedcmTokenBody) GetNonce() string { +func (o *UpdateFedcmFlowBody) GetNonce() string { if o == nil || o.Nonce == nil { var ret string return ret @@ -79,7 +79,7 @@ func (o *SubmitFedcmTokenBody) GetNonce() string { // GetNonceOk returns a tuple with the Nonce field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *SubmitFedcmTokenBody) GetNonceOk() (*string, bool) { +func (o *UpdateFedcmFlowBody) GetNonceOk() (*string, bool) { if o == nil || o.Nonce == nil { return nil, false } @@ -87,7 +87,7 @@ func (o *SubmitFedcmTokenBody) GetNonceOk() (*string, bool) { } // HasNonce returns a boolean if a field has been set. -func (o *SubmitFedcmTokenBody) HasNonce() bool { +func (o *UpdateFedcmFlowBody) HasNonce() bool { if o != nil && o.Nonce != nil { return true } @@ -96,12 +96,12 @@ func (o *SubmitFedcmTokenBody) HasNonce() bool { } // SetNonce gets a reference to the given string and assigns it to the Nonce field. -func (o *SubmitFedcmTokenBody) SetNonce(v string) { +func (o *UpdateFedcmFlowBody) SetNonce(v string) { o.Nonce = &v } // GetToken returns the Token field value -func (o *SubmitFedcmTokenBody) GetToken() string { +func (o *UpdateFedcmFlowBody) GetToken() string { if o == nil { var ret string return ret @@ -112,7 +112,7 @@ func (o *SubmitFedcmTokenBody) GetToken() string { // GetTokenOk returns a tuple with the Token field value // and a boolean to check if the value has been set. -func (o *SubmitFedcmTokenBody) GetTokenOk() (*string, bool) { +func (o *UpdateFedcmFlowBody) GetTokenOk() (*string, bool) { if o == nil { return nil, false } @@ -120,11 +120,11 @@ func (o *SubmitFedcmTokenBody) GetTokenOk() (*string, bool) { } // SetToken sets field value -func (o *SubmitFedcmTokenBody) SetToken(v string) { +func (o *UpdateFedcmFlowBody) SetToken(v string) { o.Token = v } -func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { +func (o UpdateFedcmFlowBody) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} if true { toSerialize["csrf_token"] = o.CsrfToken @@ -138,38 +138,38 @@ func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { return json.Marshal(toSerialize) } -type NullableSubmitFedcmTokenBody struct { - value *SubmitFedcmTokenBody +type NullableUpdateFedcmFlowBody struct { + value *UpdateFedcmFlowBody isSet bool } -func (v NullableSubmitFedcmTokenBody) Get() *SubmitFedcmTokenBody { +func (v NullableUpdateFedcmFlowBody) Get() *UpdateFedcmFlowBody { return v.value } -func (v *NullableSubmitFedcmTokenBody) Set(val *SubmitFedcmTokenBody) { +func (v *NullableUpdateFedcmFlowBody) Set(val *UpdateFedcmFlowBody) { v.value = val v.isSet = true } -func (v NullableSubmitFedcmTokenBody) IsSet() bool { +func (v NullableUpdateFedcmFlowBody) IsSet() bool { return v.isSet } -func (v *NullableSubmitFedcmTokenBody) Unset() { +func (v *NullableUpdateFedcmFlowBody) Unset() { v.value = nil v.isSet = false } -func NewNullableSubmitFedcmTokenBody(val *SubmitFedcmTokenBody) *NullableSubmitFedcmTokenBody { - return &NullableSubmitFedcmTokenBody{value: val, isSet: true} +func NewNullableUpdateFedcmFlowBody(val *UpdateFedcmFlowBody) *NullableUpdateFedcmFlowBody { + return &NullableUpdateFedcmFlowBody{value: val, isSet: true} } -func (v NullableSubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { +func (v NullableUpdateFedcmFlowBody) MarshalJSON() ([]byte, error) { return json.Marshal(v.value) } -func (v *NullableSubmitFedcmTokenBody) UnmarshalJSON(src []byte) error { +func (v *NullableUpdateFedcmFlowBody) UnmarshalJSON(src []byte) error { v.isSet = true return json.Unmarshal(src, &v.value) } diff --git a/selfservice/strategy/oidc/fedcm/definitions.go b/selfservice/strategy/oidc/fedcm/definitions.go index 2e14c03ed174..c8665b3e614d 100644 --- a/selfservice/strategy/oidc/fedcm/definitions.go +++ b/selfservice/strategy/oidc/fedcm/definitions.go @@ -40,17 +40,17 @@ type Provider struct { Parameters map[string]string `json:"parameters,omitempty"` } -// GetParametersResponse +// CreateFedcmFlowResponse // // Contains a list of all available FedCM providers. // -// swagger:model getFedCmParametersResponse -type GetParametersResponse struct { +// swagger:model createFedcmFlowResponse +type CreateFedcmFlowResponse struct { Providers []Provider `json:"providers"` CSRFToken string `json:"csrf_token"` } -// swagger:route GET /self-service/fed-cm/parameters frontend getFedcmParameters +// swagger:route GET /self-service/fed-cm/parameters frontend createFedcmFlow // // # Get FedCM Parameters // @@ -65,11 +65,11 @@ type GetParametersResponse struct { // Schemes: http, https // // Responses: -// 200: getFedCmParametersResponse +// 200: createFedcmFlowResponse // 400: errorGeneric // default: errorGeneric -type SubmitFedcmTokenBody struct { +type UpdateFedcmFlowBody struct { // Token contains the result of `navigator.credentials.get`. // // required: true @@ -87,17 +87,17 @@ type SubmitFedcmTokenBody struct { CSRFToken string `json:"csrf_token"` } -// swagger:parameters submitFedcmToken +// swagger:parameters updateFedcmFlow // //nolint:deadcode,unused //lint:ignore U1000 Used to generate Swagger and OpenAPI definitions -type submitFedcmToken struct { +type updateFedcmFlow struct { // in: body // required: true - Body SubmitFedcmTokenBody + Body UpdateFedcmFlowBody } -// swagger:route POST /self-service/fed-cm/token frontend submitFedcmToken +// swagger:route POST /self-service/fed-cm/token frontend updateFedcmFlow // // # Submit a FedCM token // diff --git a/selfservice/strategy/oidc/provider_netid.go b/selfservice/strategy/oidc/provider_netid.go index ec74d560290f..9e4a79aba581 100644 --- a/selfservice/strategy/oidc/provider_netid.go +++ b/selfservice/strategy/oidc/provider_netid.go @@ -4,11 +4,9 @@ package oidc import ( - "bytes" "context" "encoding/json" "fmt" - "io" "net/url" "slices" "strings" diff --git a/spec/api.json b/spec/api.json index f3d10ce2e570..84cf2d9ed6ab 100644 --- a/spec/api.json +++ b/spec/api.json @@ -456,7 +456,15 @@ "title": "RecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema.", "type": "string" }, - "SubmitFedcmTokenBody": { + "Time": { + "format": "date-time", + "type": "string" + }, + "UUID": { + "format": "uuid4", + "type": "string" + }, + "UpdateFedcmFlowBody": { "properties": { "csrf_token": { "description": "CSRFToken is the anti-CSRF token.", @@ -477,14 +485,6 @@ ], "type": "object" }, - "Time": { - "format": "date-time", - "type": "string" - }, - "UUID": { - "format": "uuid4", - "type": "string" - }, "authenticatorAssuranceLevel": { "description": "The authenticator assurance level can be one of \"aal1\", \"aal2\", or \"aal3\". A higher number means that it is harder\nfor an attacker to compromise the account.\n\nGenerally, \"aal1\" implies that one authentication factor was used while AAL2 implies that two factors (e.g.\npassword + TOTP) have been used.\n\nTo learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials", "enum": [ @@ -736,6 +736,22 @@ "title": "A Message's Type", "type": "string" }, + "createFedcmFlowResponse": { + "description": "Contains a list of all available FedCM providers.", + "properties": { + "csrf_token": { + "type": "string" + }, + "providers": { + "items": { + "$ref": "#/components/schemas/Provider" + }, + "type": "array" + } + }, + "title": "CreateFedcmFlowResponse", + "type": "object" + }, "createIdentityBody": { "description": "Create Identity Body", "properties": { @@ -965,22 +981,6 @@ ], "type": "object" }, - "getFedCmParametersResponse": { - "description": "Contains a list of all available FedCM providers.", - "properties": { - "csrf_token": { - "type": "string" - }, - "providers": { - "items": { - "$ref": "#/components/schemas/Provider" - }, - "type": "array" - } - }, - "title": "GetParametersResponse", - "type": "object" - }, "healthNotReadyStatus": { "properties": { "errors": { @@ -5564,17 +5564,17 @@ "/self-service/fed-cm/parameters": { "get": { "description": "This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network.", - "operationId": "getFedcmParameters", + "operationId": "createFedcmFlow", "responses": { "200": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/getFedCmParametersResponse" + "$ref": "#/components/schemas/createFedcmFlowResponse" } } }, - "description": "getFedCmParametersResponse" + "description": "createFedcmFlowResponse" }, "400": { "content": { @@ -5606,17 +5606,17 @@ "/self-service/fed-cm/token": { "post": { "description": "Use this endpoint to submit a token from a FedCM provider through\n`navigator.credentials.get` and log the user in. The parameters from\n`navigator.credentials.get` must have come from `GET\nself-service/fed-cm/parameters`.", - "operationId": "submitFedcmToken", + "operationId": "updateFedcmFlow", "requestBody": { "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SubmitFedcmTokenBody" + "$ref": "#/components/schemas/UpdateFedcmFlowBody" } }, "application/x-www-form-urlencoded": { "schema": { - "$ref": "#/components/schemas/SubmitFedcmTokenBody" + "$ref": "#/components/schemas/UpdateFedcmFlowBody" } } }, diff --git a/spec/swagger.json b/spec/swagger.json index 97b6de6c018b..dbed6c5be265 100755 --- a/spec/swagger.json +++ b/spec/swagger.json @@ -1494,12 +1494,12 @@ "frontend" ], "summary": "Get FedCM Parameters", - "operationId": "getFedcmParameters", + "operationId": "createFedcmFlow", "responses": { "200": { - "description": "getFedCmParametersResponse", + "description": "createFedcmFlowResponse", "schema": { - "$ref": "#/definitions/getFedCmParametersResponse" + "$ref": "#/definitions/createFedcmFlowResponse" } }, "400": { @@ -1535,14 +1535,14 @@ "frontend" ], "summary": "Submit a FedCM token", - "operationId": "submitFedcmToken", + "operationId": "updateFedcmFlow", "parameters": [ { "name": "Body", "in": "body", "required": true, "schema": { - "$ref": "#/definitions/SubmitFedcmTokenBody" + "$ref": "#/definitions/UpdateFedcmFlowBody" } } ], @@ -3759,7 +3759,8 @@ "type": "string", "title": "RecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema." }, - "SubmitFedcmTokenBody": { + "UUID": {"type": "string", "format": "uuid4"}, + "UpdateFedcmFlowBody": { "type": "object", "required": [ "token", @@ -3780,7 +3781,6 @@ } } }, - "UUID": {"type": "string", "format": "uuid4"}, "authenticatorAssuranceLevel": { "description": "The authenticator assurance level can be one of \"aal1\", \"aal2\", or \"aal3\". A higher number means that it is harder\nfor an attacker to compromise the account.\n\nGenerally, \"aal1\" implies that one authentication factor was used while AAL2 implies that two factors (e.g.\npassword + TOTP) have been used.\n\nTo learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials", "type": "string", @@ -3991,6 +3991,22 @@ "format": "int64", "title": "A Message's Type" }, + "createFedcmFlowResponse": { + "description": "Contains a list of all available FedCM providers.", + "type": "object", + "title": "CreateFedcmFlowResponse", + "properties": { + "csrf_token": { + "type": "string" + }, + "providers": { + "type": "array", + "items": { + "$ref": "#/definitions/Provider" + } + } + } + }, "createIdentityBody": { "description": "Create Identity Body", "type": "object", @@ -4223,22 +4239,6 @@ } } }, - "getFedCmParametersResponse": { - "description": "Contains a list of all available FedCM providers.", - "type": "object", - "title": "GetParametersResponse", - "properties": { - "csrf_token": { - "type": "string" - }, - "providers": { - "type": "array", - "items": { - "$ref": "#/definitions/Provider" - } - } - } - }, "healthNotReadyStatus": { "type": "object", "title": "The not ready status of the service.", From 4ac0f422b0c5510ac3c698d89680d8d59ee58419 Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Sun, 2 Feb 2025 10:25:12 +0100 Subject: [PATCH 9/9] exclude netid provider from coverage --- codecov.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/codecov.yml b/codecov.yml index 620228c31857..595b2071aee2 100644 --- a/codecov.yml +++ b/codecov.yml @@ -10,3 +10,4 @@ ignore: - "internal" - "docs" - "contrib" + - "selfservice/strategy/oidc/provider_netid.go" # No way to test this provider automatically