From 3517cf30d2a99421ff95b78a53bfae3246640d59 Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Wed, 22 Jan 2025 15:09:49 +0100 Subject: [PATCH 1/2] feat: more extension points --- driver/registry.go | 9 + driver/registry_default.go | 20 ++ driver/registry_default_hooks.go | 3 + embedx/config.schema.json | 10 +- internal/client-go/.openapi-generator/FILES | 6 + internal/client-go/README.md | 5 + internal/client-go/api_frontend.go | 302 ++++++++++++++++ internal/client-go/go.sum | 2 + .../model_get_parameters_response.go | 150 ++++++++ internal/client-go/model_provider.go | 337 ++++++++++++++++++ .../model_submit_fedcm_token_body.go | 114 ++++++ ...odel_update_login_flow_with_oidc_method.go | 68 ++-- ...date_registration_flow_with_oidc_method.go | 68 ++-- ...l_update_settings_flow_with_oidc_method.go | 6 +- internal/httpclient/.openapi-generator/FILES | 6 + internal/httpclient/README.md | 5 + internal/httpclient/api_frontend.go | 302 ++++++++++++++++ .../model_get_parameters_response.go | 150 ++++++++ internal/httpclient/model_provider.go | 337 ++++++++++++++++++ .../model_submit_fedcm_token_body.go | 114 ++++++ ...odel_update_login_flow_with_oidc_method.go | 68 ++-- ...date_registration_flow_with_oidc_method.go | 68 ++-- ...l_update_settings_flow_with_oidc_method.go | 6 +- .../strategy/oidc/fedcm/definitions.go | 121 +++++++ selfservice/strategy/oidc/pkce.go | 6 +- selfservice/strategy/oidc/provider_apple.go | 6 +- selfservice/strategy/oidc/provider_config.go | 5 + selfservice/strategy/oidc/provider_google.go | 1 + selfservice/strategy/oidc/provider_netid.go | 44 ++- .../strategy/oidc/provider_test_fedcm.go | 49 +++ .../strategy/oidc/provider_test_fedcm_test.go | 26 ++ selfservice/strategy/oidc/strategy.go | 68 ++-- selfservice/strategy/oidc/strategy_login.go | 44 +-- .../strategy/oidc/strategy_registration.go | 58 +-- .../strategy/oidc/strategy_settings.go | 2 +- selfservice/strategy/oidc/token_verifier.go | 11 + spec/api.json | 224 +++++++++++- spec/swagger.json | 207 ++++++++++- x/router.go | 5 + 39 files changed, 2754 insertions(+), 279 deletions(-) create mode 100644 internal/client-go/model_get_parameters_response.go create mode 100644 internal/client-go/model_provider.go create mode 100644 internal/client-go/model_submit_fedcm_token_body.go create mode 100644 internal/httpclient/model_get_parameters_response.go create mode 100644 internal/httpclient/model_provider.go create mode 100644 internal/httpclient/model_submit_fedcm_token_body.go create mode 100644 selfservice/strategy/oidc/fedcm/definitions.go create mode 100644 selfservice/strategy/oidc/provider_test_fedcm.go create mode 100644 selfservice/strategy/oidc/provider_test_fedcm_test.go diff --git a/driver/registry.go b/driver/registry.go index e284d6f6a6dd..9f0e7cb3cdde 100644 --- a/driver/registry.go +++ b/driver/registry.go @@ -185,6 +185,7 @@ type options struct { extraGoMigrations popx.Migrations replacementStrategies []NewStrategy extraHooks map[string]func(config.SelfServiceHook) any + extraHandlers []NewHandlerRegistrar disableMigrationLogging bool jsonnetPool jsonnetsecure.Pool } @@ -236,6 +237,14 @@ func WithExtraHooks(hooks map[string]func(config.SelfServiceHook) any) RegistryO } } +type NewHandlerRegistrar func(deps any) x.HandlerRegistrar + +func WithExtraHandlers(handlers ...NewHandlerRegistrar) RegistryOption { + return func(o *options) { + o.extraHandlers = handlers + } +} + func Inspect(f func(reg Registry) error) RegistryOption { return func(o *options) { o.inspect = f diff --git a/driver/registry_default.go b/driver/registry_default.go index 464f7881f626..73f0ef14fd8a 100644 --- a/driver/registry_default.go +++ b/driver/registry_default.go @@ -78,6 +78,8 @@ type RegistryDefault struct { ctxer contextx.Contextualizer injectedSelfserviceHooks map[string]func(config.SelfServiceHook) interface{} + extraHandlerFactories []NewHandlerRegistrar + extraHandlers []x.HandlerRegistrar nosurf nosurf.Handler trc *otelx.Tracer @@ -175,6 +177,9 @@ func (m *RegistryDefault) Audit() *logrusx.Logger { } func (m *RegistryDefault) RegisterPublicRoutes(ctx context.Context, router *x.RouterPublic) { + for _, h := range m.ExtraHandlers() { + h.RegisterPublicRoutes(router) + } m.LoginHandler().RegisterPublicRoutes(router) m.RegistrationHandler().RegisterPublicRoutes(router) m.LogoutHandler().RegisterPublicRoutes(router) @@ -198,6 +203,9 @@ func (m *RegistryDefault) RegisterPublicRoutes(ctx context.Context, router *x.Ro } func (m *RegistryDefault) RegisterAdminRoutes(ctx context.Context, router *x.RouterAdmin) { + for _, h := range m.ExtraHandlers() { + h.RegisterAdminRoutes(router) + } m.RegistrationHandler().RegisterAdminRoutes(router) m.LoginHandler().RegisterAdminRoutes(router) m.LogoutHandler().RegisterAdminRoutes(router) @@ -640,6 +648,9 @@ func (m *RegistryDefault) Init(ctx context.Context, ctxer contextx.Contextualize if o.extraHooks != nil { m.WithHooks(o.extraHooks) } + if o.extraHandlers != nil { + m.WithExtraHandlers(o.extraHandlers) + } if o.replaceIdentitySchemaProvider != nil { m.identitySchemaProvider = o.replaceIdentitySchemaProvider(m) @@ -904,3 +915,12 @@ func (m *RegistryDefault) SessionTokenizer() *session.Tokenizer { } return m.sessionTokenizer } + +func (m *RegistryDefault) ExtraHandlers() []x.HandlerRegistrar { + if m.extraHandlers == nil { + for _, newHandler := range m.extraHandlerFactories { + m.extraHandlers = append(m.extraHandlers, newHandler(m)) + } + } + return m.extraHandlers +} diff --git a/driver/registry_default_hooks.go b/driver/registry_default_hooks.go index 73a855daadc5..8b5bfd8bb2a0 100644 --- a/driver/registry_default_hooks.go +++ b/driver/registry_default_hooks.go @@ -60,6 +60,9 @@ func (m *RegistryDefault) HookTwoStepRegistration() *hook.TwoStepRegistration { func (m *RegistryDefault) WithHooks(hooks map[string]func(config.SelfServiceHook) interface{}) { m.injectedSelfserviceHooks = hooks } +func (m *RegistryDefault) WithExtraHandlers(handlers []NewHandlerRegistrar) { + m.extraHandlerFactories = handlers +} func (m *RegistryDefault) getHooks(credentialsType string, configs []config.SelfServiceHook) (i []interface{}) { var addSessionIssuer bool diff --git a/embedx/config.schema.json b/embedx/config.schema.json index 5fcf826f4c2a..d9bb0173605e 100644 --- a/embedx/config.schema.json +++ b/embedx/config.schema.json @@ -460,7 +460,8 @@ "linkedin", "linkedin_v2", "lark", - "x" + "x", + "fedcm-test" ], "examples": ["google"] }, @@ -578,6 +579,13 @@ "type": "string", "enum": ["auto", "never", "force"], "default": "auto" + }, + "fedcm_config_url": { + "title": "Federation Configuration URL", + "description": "The URL where the FedCM IdP configuration is located for the provider.", + "type": "string", + "format": "uri", + "examples": ["https://example.com/config.json"] } }, "additionalProperties": false, diff --git a/internal/client-go/.openapi-generator/FILES b/internal/client-go/.openapi-generator/FILES index 118cf9b06463..eef4b6b4dfe9 100644 --- a/internal/client-go/.openapi-generator/FILES +++ b/internal/client-go/.openapi-generator/FILES @@ -35,6 +35,7 @@ docs/ErrorGeneric.md docs/FlowError.md docs/FrontendAPI.md docs/GenericError.md +docs/GetParametersResponse.md docs/GetVersion200Response.md docs/HealthNotReadyStatus.md docs/HealthStatus.md @@ -70,6 +71,7 @@ docs/OAuth2ConsentRequestOpenIDConnectContext.md docs/OAuth2LoginRequest.md docs/PatchIdentitiesBody.md docs/PerformNativeLogoutBody.md +docs/Provider.md docs/RecoveryCodeForIdentity.md docs/RecoveryFlow.md docs/RecoveryFlowState.md @@ -83,6 +85,7 @@ docs/SessionAuthenticationMethod.md docs/SessionDevice.md docs/SettingsFlow.md docs/SettingsFlowState.md +docs/SubmitFedcmTokenBody.md docs/SuccessfulCodeExchangeResponse.md docs/SuccessfulNativeLogin.md docs/SuccessfulNativeRegistration.md @@ -160,6 +163,7 @@ model_error_flow_replaced.go model_error_generic.go model_flow_error.go model_generic_error.go +model_get_parameters_response.go model_get_version_200_response.go model_health_not_ready_status.go model_health_status.go @@ -193,6 +197,7 @@ model_o_auth2_consent_request_open_id_connect_context.go model_o_auth2_login_request.go model_patch_identities_body.go model_perform_native_logout_body.go +model_provider.go model_recovery_code_for_identity.go model_recovery_flow.go model_recovery_flow_state.go @@ -206,6 +211,7 @@ model_session_authentication_method.go model_session_device.go model_settings_flow.go model_settings_flow_state.go +model_submit_fedcm_token_body.go model_successful_code_exchange_response.go model_successful_native_login.go model_successful_native_registration.go diff --git a/internal/client-go/README.md b/internal/client-go/README.md index 97593523117a..76576250b664 100644 --- a/internal/client-go/README.md +++ b/internal/client-go/README.md @@ -95,6 +95,7 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**DisableMyOtherSessions**](docs/FrontendAPI.md#disablemyothersessions) | **Delete** /sessions | Disable my other sessions *FrontendAPI* | [**DisableMySession**](docs/FrontendAPI.md#disablemysession) | **Delete** /sessions/{id} | Disable one of my sessions *FrontendAPI* | [**ExchangeSessionToken**](docs/FrontendAPI.md#exchangesessiontoken) | **Get** /sessions/token-exchange | Exchange Session Token +*FrontendAPI* | [**GetFedcmParameters**](docs/FrontendAPI.md#getfedcmparameters) | **Get** /self-service/fed-cm/parameters | Get FedCM Parameters *FrontendAPI* | [**GetFlowError**](docs/FrontendAPI.md#getflowerror) | **Get** /self-service/errors | Get User-Flow Errors *FrontendAPI* | [**GetLoginFlow**](docs/FrontendAPI.md#getloginflow) | **Get** /self-service/login/flows | Get Login Flow *FrontendAPI* | [**GetRecoveryFlow**](docs/FrontendAPI.md#getrecoveryflow) | **Get** /self-service/recovery/flows | Get Recovery Flow @@ -104,6 +105,7 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**GetWebAuthnJavaScript**](docs/FrontendAPI.md#getwebauthnjavascript) | **Get** /.well-known/ory/webauthn.js | Get WebAuthn JavaScript *FrontendAPI* | [**ListMySessions**](docs/FrontendAPI.md#listmysessions) | **Get** /sessions | Get My Active Sessions *FrontendAPI* | [**PerformNativeLogout**](docs/FrontendAPI.md#performnativelogout) | **Delete** /self-service/logout/api | Perform Logout for Native Apps +*FrontendAPI* | [**SubmitFedcmToken**](docs/FrontendAPI.md#submitfedcmtoken) | **Post** /self-service/fed-cm/token | Submit a FedCM token *FrontendAPI* | [**ToSession**](docs/FrontendAPI.md#tosession) | **Get** /sessions/whoami | Check Who the Current HTTP Session Belongs To *FrontendAPI* | [**UpdateLoginFlow**](docs/FrontendAPI.md#updateloginflow) | **Post** /self-service/login | Submit a Login Flow *FrontendAPI* | [**UpdateLogoutFlow**](docs/FrontendAPI.md#updatelogoutflow) | **Get** /self-service/logout | Update Logout Flow @@ -160,6 +162,7 @@ Class | Method | HTTP request | Description - [ErrorGeneric](docs/ErrorGeneric.md) - [FlowError](docs/FlowError.md) - [GenericError](docs/GenericError.md) + - [GetParametersResponse](docs/GetParametersResponse.md) - [GetVersion200Response](docs/GetVersion200Response.md) - [HealthNotReadyStatus](docs/HealthNotReadyStatus.md) - [HealthStatus](docs/HealthStatus.md) @@ -193,6 +196,7 @@ Class | Method | HTTP request | Description - [OAuth2LoginRequest](docs/OAuth2LoginRequest.md) - [PatchIdentitiesBody](docs/PatchIdentitiesBody.md) - [PerformNativeLogoutBody](docs/PerformNativeLogoutBody.md) + - [Provider](docs/Provider.md) - [RecoveryCodeForIdentity](docs/RecoveryCodeForIdentity.md) - [RecoveryFlow](docs/RecoveryFlow.md) - [RecoveryFlowState](docs/RecoveryFlowState.md) @@ -206,6 +210,7 @@ Class | Method | HTTP request | Description - [SessionDevice](docs/SessionDevice.md) - [SettingsFlow](docs/SettingsFlow.md) - [SettingsFlowState](docs/SettingsFlowState.md) + - [SubmitFedcmTokenBody](docs/SubmitFedcmTokenBody.md) - [SuccessfulCodeExchangeResponse](docs/SuccessfulCodeExchangeResponse.md) - [SuccessfulNativeLogin](docs/SuccessfulNativeLogin.md) - [SuccessfulNativeRegistration](docs/SuccessfulNativeRegistration.md) diff --git a/internal/client-go/api_frontend.go b/internal/client-go/api_frontend.go index 97266e9c4c94..2faad9a5bd32 100644 --- a/internal/client-go/api_frontend.go +++ b/internal/client-go/api_frontend.go @@ -394,6 +394,20 @@ type FrontendAPI interface { */ ExchangeSessionTokenExecute(r FrontendAPIApiExchangeSessionTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) + /* + * GetFedcmParameters Get FedCM Parameters + * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiGetFedcmParametersRequest + */ + GetFedcmParameters(ctx context.Context) FrontendAPIApiGetFedcmParametersRequest + + /* + * GetFedcmParametersExecute executes the request + * @return GetParametersResponse + */ + GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) + /* * GetFlowError Get User-Flow Errors * This endpoint returns the error associated with a user-facing self service errors. @@ -637,6 +651,23 @@ type FrontendAPI interface { */ PerformNativeLogoutExecute(r FrontendAPIApiPerformNativeLogoutRequest) (*http.Response, error) + /* + * SubmitFedcmToken Submit a FedCM token + * Use this endpoint to submit a token from a FedCM provider through + `navigator.credentials.get` and log the user in. The parameters from + `navigator.credentials.get` must have come from `GET + self-service/fed-cm/parameters`. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiSubmitFedcmTokenRequest + */ + SubmitFedcmToken(ctx context.Context) FrontendAPIApiSubmitFedcmTokenRequest + + /* + * SubmitFedcmTokenExecute executes the request + * @return SuccessfulNativeLogin + */ + SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcmTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) + /* * ToSession Check Who the Current HTTP Session Belongs To * Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated. @@ -3104,6 +3135,124 @@ func (a *FrontendAPIService) ExchangeSessionTokenExecute(r FrontendAPIApiExchang return localVarReturnValue, localVarHTTPResponse, nil } +type FrontendAPIApiGetFedcmParametersRequest struct { + ctx context.Context + ApiService FrontendAPI +} + +func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetParametersResponse, *http.Response, error) { + return r.ApiService.GetFedcmParametersExecute(r) +} + +/* + * GetFedcmParameters Get FedCM Parameters + * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiGetFedcmParametersRequest + */ +func (a *FrontendAPIService) GetFedcmParameters(ctx context.Context) FrontendAPIApiGetFedcmParametersRequest { + return FrontendAPIApiGetFedcmParametersRequest{ + ApiService: a, + ctx: ctx, + } +} + +/* + * Execute executes the request + * @return GetParametersResponse + */ +func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) { + var ( + localVarHTTPMethod = http.MethodGet + localVarPostBody interface{} + localVarFormFileName string + localVarFileName string + localVarFileBytes []byte + localVarReturnValue *GetParametersResponse + ) + + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.GetFedcmParameters") + if err != nil { + return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} + } + + localVarPath := localBasePath + "/self-service/fed-cm/parameters" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := url.Values{} + localVarFormParams := url.Values{} + + // to determine the Content-Type header + localVarHTTPContentTypes := []string{} + + // set Content-Type header + localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) + if localVarHTTPContentType != "" { + localVarHeaderParams["Content-Type"] = localVarHTTPContentType + } + + // to determine the Accept header + localVarHTTPHeaderAccepts := []string{"application/json"} + + // set Accept header + localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts) + if localVarHTTPHeaderAccept != "" { + localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept + } + req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.client.callAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024)) + localVarHTTPResponse.Body.Close() + localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody)) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 400 { + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + type FrontendAPIApiGetFlowErrorRequest struct { ctx context.Context ApiService FrontendAPI @@ -4539,6 +4688,159 @@ func (a *FrontendAPIService) PerformNativeLogoutExecute(r FrontendAPIApiPerformN return localVarHTTPResponse, nil } +type FrontendAPIApiSubmitFedcmTokenRequest struct { + ctx context.Context + ApiService FrontendAPI + submitFedcmTokenBody *SubmitFedcmTokenBody +} + +func (r FrontendAPIApiSubmitFedcmTokenRequest) SubmitFedcmTokenBody(submitFedcmTokenBody SubmitFedcmTokenBody) FrontendAPIApiSubmitFedcmTokenRequest { + r.submitFedcmTokenBody = &submitFedcmTokenBody + return r +} + +func (r FrontendAPIApiSubmitFedcmTokenRequest) Execute() (*SuccessfulNativeLogin, *http.Response, error) { + return r.ApiService.SubmitFedcmTokenExecute(r) +} + +/* + - SubmitFedcmToken Submit a FedCM token + - Use this endpoint to submit a token from a FedCM provider through + +`navigator.credentials.get` and log the user in. The parameters from +`navigator.credentials.get` must have come from `GET +self-service/fed-cm/parameters`. + - @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + - @return FrontendAPIApiSubmitFedcmTokenRequest +*/ +func (a *FrontendAPIService) SubmitFedcmToken(ctx context.Context) FrontendAPIApiSubmitFedcmTokenRequest { + return FrontendAPIApiSubmitFedcmTokenRequest{ + ApiService: a, + ctx: ctx, + } +} + +/* + * Execute executes the request + * @return SuccessfulNativeLogin + */ +func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcmTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) { + var ( + localVarHTTPMethod = http.MethodPost + localVarPostBody interface{} + localVarFormFileName string + localVarFileName string + localVarFileBytes []byte + localVarReturnValue *SuccessfulNativeLogin + ) + + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.SubmitFedcmToken") + if err != nil { + return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} + } + + localVarPath := localBasePath + "/self-service/fed-cm/token" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := url.Values{} + localVarFormParams := url.Values{} + if r.submitFedcmTokenBody == nil { + return localVarReturnValue, nil, reportError("submitFedcmTokenBody is required and must be specified") + } + + // to determine the Content-Type header + localVarHTTPContentTypes := []string{"application/json", "application/x-www-form-urlencoded"} + + // set Content-Type header + localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) + if localVarHTTPContentType != "" { + localVarHeaderParams["Content-Type"] = localVarHTTPContentType + } + + // to determine the Accept header + localVarHTTPHeaderAccepts := []string{"application/json"} + + // set Accept header + localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts) + if localVarHTTPHeaderAccept != "" { + localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept + } + // body params + localVarPostBody = r.submitFedcmTokenBody + req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.client.callAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024)) + localVarHTTPResponse.Body.Close() + localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody)) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 400 { + var v LoginFlow + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + if localVarHTTPResponse.StatusCode == 410 { + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + if localVarHTTPResponse.StatusCode == 422 { + var v ErrorBrowserLocationChangeRequired + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + type FrontendAPIApiToSessionRequest struct { ctx context.Context ApiService FrontendAPI diff --git a/internal/client-go/go.sum b/internal/client-go/go.sum index c966c8ddfd0d..734252e68153 100644 --- a/internal/client-go/go.sum +++ b/internal/client-go/go.sum @@ -4,6 +4,8 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/internal/client-go/model_get_parameters_response.go b/internal/client-go/model_get_parameters_response.go new file mode 100644 index 000000000000..17616c790407 --- /dev/null +++ b/internal/client-go/model_get_parameters_response.go @@ -0,0 +1,150 @@ +/* + * Ory Identities API + * + * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. + * + * API version: + * Contact: office@ory.sh + */ + +// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT. + +package client + +import ( + "encoding/json" +) + +// GetParametersResponse Contains a list of all available FedCM providers. +type GetParametersResponse struct { + CsrfToken *string `json:"csrf_token,omitempty"` + Providers []Provider `json:"providers,omitempty"` +} + +// NewGetParametersResponse instantiates a new GetParametersResponse object +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed +func NewGetParametersResponse() *GetParametersResponse { + this := GetParametersResponse{} + return &this +} + +// NewGetParametersResponseWithDefaults instantiates a new GetParametersResponse object +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set +func NewGetParametersResponseWithDefaults() *GetParametersResponse { + this := GetParametersResponse{} + return &this +} + +// GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. +func (o *GetParametersResponse) GetCsrfToken() string { + if o == nil || o.CsrfToken == nil { + var ret string + return ret + } + return *o.CsrfToken +} + +// GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *GetParametersResponse) GetCsrfTokenOk() (*string, bool) { + if o == nil || o.CsrfToken == nil { + return nil, false + } + return o.CsrfToken, true +} + +// HasCsrfToken returns a boolean if a field has been set. +func (o *GetParametersResponse) HasCsrfToken() bool { + if o != nil && o.CsrfToken != nil { + return true + } + + return false +} + +// SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. +func (o *GetParametersResponse) SetCsrfToken(v string) { + o.CsrfToken = &v +} + +// GetProviders returns the Providers field value if set, zero value otherwise. +func (o *GetParametersResponse) GetProviders() []Provider { + if o == nil || o.Providers == nil { + var ret []Provider + return ret + } + return o.Providers +} + +// GetProvidersOk returns a tuple with the Providers field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *GetParametersResponse) GetProvidersOk() ([]Provider, bool) { + if o == nil || o.Providers == nil { + return nil, false + } + return o.Providers, true +} + +// HasProviders returns a boolean if a field has been set. +func (o *GetParametersResponse) HasProviders() bool { + if o != nil && o.Providers != nil { + return true + } + + return false +} + +// SetProviders gets a reference to the given []Provider and assigns it to the Providers field. +func (o *GetParametersResponse) SetProviders(v []Provider) { + o.Providers = v +} + +func (o GetParametersResponse) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.CsrfToken != nil { + toSerialize["csrf_token"] = o.CsrfToken + } + if o.Providers != nil { + toSerialize["providers"] = o.Providers + } + return json.Marshal(toSerialize) +} + +type NullableGetParametersResponse struct { + value *GetParametersResponse + isSet bool +} + +func (v NullableGetParametersResponse) Get() *GetParametersResponse { + return v.value +} + +func (v *NullableGetParametersResponse) Set(val *GetParametersResponse) { + v.value = val + v.isSet = true +} + +func (v NullableGetParametersResponse) IsSet() bool { + return v.isSet +} + +func (v *NullableGetParametersResponse) Unset() { + v.value = nil + v.isSet = false +} + +func NewNullableGetParametersResponse(val *GetParametersResponse) *NullableGetParametersResponse { + return &NullableGetParametersResponse{value: val, isSet: true} +} + +func (v NullableGetParametersResponse) MarshalJSON() ([]byte, error) { + return json.Marshal(v.value) +} + +func (v *NullableGetParametersResponse) UnmarshalJSON(src []byte) error { + v.isSet = true + return json.Unmarshal(src, &v.value) +} diff --git a/internal/client-go/model_provider.go b/internal/client-go/model_provider.go new file mode 100644 index 000000000000..2c9a79590e0e --- /dev/null +++ b/internal/client-go/model_provider.go @@ -0,0 +1,337 @@ +/* + * Ory Identities API + * + * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. + * + * API version: + * Contact: office@ory.sh + */ + +// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT. + +package client + +import ( + "encoding/json" +) + +// Provider struct for Provider +type Provider struct { + // The RP's client identifier, issued by the IdP. + ClientId *string `json:"client_id,omitempty"` + // A full path of the IdP config file. + ConfigUrl *string `json:"config_url,omitempty"` + // By specifying one of domain_hints values provided by the accounts endpoints, the FedCM dialog selectively shows the specified account. + DomainHint *string `json:"domain_hint,omitempty"` + // Array of strings that specifies the user information (\"name\", \" email\", \"picture\") that RP needs IdP to share with them. Note: Field API is supported by Chrome 132 and later. + Fields []string `json:"fields,omitempty"` + // By specifying one of login_hints values provided by the accounts endpoints, the FedCM dialog selectively shows the specified account. + LoginHint *string `json:"login_hint,omitempty"` + // A random string to ensure the response is issued for this specific request. Prevents replay attacks. + Nonce *string `json:"nonce,omitempty"` + // Custom object that allows to specify additional key-value parameters: scope: A string value containing additional permissions that RP needs to request, for example \" drive.readonly calendar.readonly\" nonce: A random string to ensure the response is issued for this specific request. Prevents replay attacks. Other custom key-value parameters. Note: parameters is supported from Chrome 132. + Parameters *map[string]string `json:"parameters,omitempty"` +} + +// NewProvider instantiates a new Provider object +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed +func NewProvider() *Provider { + this := Provider{} + return &this +} + +// NewProviderWithDefaults instantiates a new Provider object +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set +func NewProviderWithDefaults() *Provider { + this := Provider{} + return &this +} + +// GetClientId returns the ClientId field value if set, zero value otherwise. +func (o *Provider) GetClientId() string { + if o == nil || o.ClientId == nil { + var ret string + return ret + } + return *o.ClientId +} + +// GetClientIdOk returns a tuple with the ClientId field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetClientIdOk() (*string, bool) { + if o == nil || o.ClientId == nil { + return nil, false + } + return o.ClientId, true +} + +// HasClientId returns a boolean if a field has been set. +func (o *Provider) HasClientId() bool { + if o != nil && o.ClientId != nil { + return true + } + + return false +} + +// SetClientId gets a reference to the given string and assigns it to the ClientId field. +func (o *Provider) SetClientId(v string) { + o.ClientId = &v +} + +// GetConfigUrl returns the ConfigUrl field value if set, zero value otherwise. +func (o *Provider) GetConfigUrl() string { + if o == nil || o.ConfigUrl == nil { + var ret string + return ret + } + return *o.ConfigUrl +} + +// GetConfigUrlOk returns a tuple with the ConfigUrl field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetConfigUrlOk() (*string, bool) { + if o == nil || o.ConfigUrl == nil { + return nil, false + } + return o.ConfigUrl, true +} + +// HasConfigUrl returns a boolean if a field has been set. +func (o *Provider) HasConfigUrl() bool { + if o != nil && o.ConfigUrl != nil { + return true + } + + return false +} + +// SetConfigUrl gets a reference to the given string and assigns it to the ConfigUrl field. +func (o *Provider) SetConfigUrl(v string) { + o.ConfigUrl = &v +} + +// GetDomainHint returns the DomainHint field value if set, zero value otherwise. +func (o *Provider) GetDomainHint() string { + if o == nil || o.DomainHint == nil { + var ret string + return ret + } + return *o.DomainHint +} + +// GetDomainHintOk returns a tuple with the DomainHint field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetDomainHintOk() (*string, bool) { + if o == nil || o.DomainHint == nil { + return nil, false + } + return o.DomainHint, true +} + +// HasDomainHint returns a boolean if a field has been set. +func (o *Provider) HasDomainHint() bool { + if o != nil && o.DomainHint != nil { + return true + } + + return false +} + +// SetDomainHint gets a reference to the given string and assigns it to the DomainHint field. +func (o *Provider) SetDomainHint(v string) { + o.DomainHint = &v +} + +// GetFields returns the Fields field value if set, zero value otherwise. +func (o *Provider) GetFields() []string { + if o == nil || o.Fields == nil { + var ret []string + return ret + } + return o.Fields +} + +// GetFieldsOk returns a tuple with the Fields field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetFieldsOk() ([]string, bool) { + if o == nil || o.Fields == nil { + return nil, false + } + return o.Fields, true +} + +// HasFields returns a boolean if a field has been set. +func (o *Provider) HasFields() bool { + if o != nil && o.Fields != nil { + return true + } + + return false +} + +// SetFields gets a reference to the given []string and assigns it to the Fields field. +func (o *Provider) SetFields(v []string) { + o.Fields = v +} + +// GetLoginHint returns the LoginHint field value if set, zero value otherwise. +func (o *Provider) GetLoginHint() string { + if o == nil || o.LoginHint == nil { + var ret string + return ret + } + return *o.LoginHint +} + +// GetLoginHintOk returns a tuple with the LoginHint field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetLoginHintOk() (*string, bool) { + if o == nil || o.LoginHint == nil { + return nil, false + } + return o.LoginHint, true +} + +// HasLoginHint returns a boolean if a field has been set. +func (o *Provider) HasLoginHint() bool { + if o != nil && o.LoginHint != nil { + return true + } + + return false +} + +// SetLoginHint gets a reference to the given string and assigns it to the LoginHint field. +func (o *Provider) SetLoginHint(v string) { + o.LoginHint = &v +} + +// GetNonce returns the Nonce field value if set, zero value otherwise. +func (o *Provider) GetNonce() string { + if o == nil || o.Nonce == nil { + var ret string + return ret + } + return *o.Nonce +} + +// GetNonceOk returns a tuple with the Nonce field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetNonceOk() (*string, bool) { + if o == nil || o.Nonce == nil { + return nil, false + } + return o.Nonce, true +} + +// HasNonce returns a boolean if a field has been set. +func (o *Provider) HasNonce() bool { + if o != nil && o.Nonce != nil { + return true + } + + return false +} + +// SetNonce gets a reference to the given string and assigns it to the Nonce field. +func (o *Provider) SetNonce(v string) { + o.Nonce = &v +} + +// GetParameters returns the Parameters field value if set, zero value otherwise. +func (o *Provider) GetParameters() map[string]string { + if o == nil || o.Parameters == nil { + var ret map[string]string + return ret + } + return *o.Parameters +} + +// GetParametersOk returns a tuple with the Parameters field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetParametersOk() (*map[string]string, bool) { + if o == nil || o.Parameters == nil { + return nil, false + } + return o.Parameters, true +} + +// HasParameters returns a boolean if a field has been set. +func (o *Provider) HasParameters() bool { + if o != nil && o.Parameters != nil { + return true + } + + return false +} + +// SetParameters gets a reference to the given map[string]string and assigns it to the Parameters field. +func (o *Provider) SetParameters(v map[string]string) { + o.Parameters = &v +} + +func (o Provider) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.ClientId != nil { + toSerialize["client_id"] = o.ClientId + } + if o.ConfigUrl != nil { + toSerialize["config_url"] = o.ConfigUrl + } + if o.DomainHint != nil { + toSerialize["domain_hint"] = o.DomainHint + } + if o.Fields != nil { + toSerialize["fields"] = o.Fields + } + if o.LoginHint != nil { + toSerialize["login_hint"] = o.LoginHint + } + if o.Nonce != nil { + toSerialize["nonce"] = o.Nonce + } + if o.Parameters != nil { + toSerialize["parameters"] = o.Parameters + } + return json.Marshal(toSerialize) +} + +type NullableProvider struct { + value *Provider + isSet bool +} + +func (v NullableProvider) Get() *Provider { + return v.value +} + +func (v *NullableProvider) Set(val *Provider) { + v.value = val + v.isSet = true +} + +func (v NullableProvider) IsSet() bool { + return v.isSet +} + +func (v *NullableProvider) Unset() { + v.value = nil + v.isSet = false +} + +func NewNullableProvider(val *Provider) *NullableProvider { + return &NullableProvider{value: val, isSet: true} +} + +func (v NullableProvider) MarshalJSON() ([]byte, error) { + return json.Marshal(v.value) +} + +func (v *NullableProvider) UnmarshalJSON(src []byte) error { + v.isSet = true + return json.Unmarshal(src, &v.value) +} diff --git a/internal/client-go/model_submit_fedcm_token_body.go b/internal/client-go/model_submit_fedcm_token_body.go new file mode 100644 index 000000000000..8b2fbc54c70f --- /dev/null +++ b/internal/client-go/model_submit_fedcm_token_body.go @@ -0,0 +1,114 @@ +/* + * Ory Identities API + * + * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. + * + * API version: + * Contact: office@ory.sh + */ + +// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT. + +package client + +import ( + "encoding/json" +) + +// SubmitFedcmTokenBody struct for SubmitFedcmTokenBody +type SubmitFedcmTokenBody struct { + Token *string `json:"token,omitempty"` +} + +// NewSubmitFedcmTokenBody instantiates a new SubmitFedcmTokenBody object +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed +func NewSubmitFedcmTokenBody() *SubmitFedcmTokenBody { + this := SubmitFedcmTokenBody{} + return &this +} + +// NewSubmitFedcmTokenBodyWithDefaults instantiates a new SubmitFedcmTokenBody object +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set +func NewSubmitFedcmTokenBodyWithDefaults() *SubmitFedcmTokenBody { + this := SubmitFedcmTokenBody{} + return &this +} + +// GetToken returns the Token field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetToken() string { + if o == nil || o.Token == nil { + var ret string + return ret + } + return *o.Token +} + +// GetTokenOk returns a tuple with the Token field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetTokenOk() (*string, bool) { + if o == nil || o.Token == nil { + return nil, false + } + return o.Token, true +} + +// HasToken returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasToken() bool { + if o != nil && o.Token != nil { + return true + } + + return false +} + +// SetToken gets a reference to the given string and assigns it to the Token field. +func (o *SubmitFedcmTokenBody) SetToken(v string) { + o.Token = &v +} + +func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.Token != nil { + toSerialize["token"] = o.Token + } + return json.Marshal(toSerialize) +} + +type NullableSubmitFedcmTokenBody struct { + value *SubmitFedcmTokenBody + isSet bool +} + +func (v NullableSubmitFedcmTokenBody) Get() *SubmitFedcmTokenBody { + return v.value +} + +func (v *NullableSubmitFedcmTokenBody) Set(val *SubmitFedcmTokenBody) { + v.value = val + v.isSet = true +} + +func (v NullableSubmitFedcmTokenBody) IsSet() bool { + return v.isSet +} + +func (v *NullableSubmitFedcmTokenBody) Unset() { + v.value = nil + v.isSet = false +} + +func NewNullableSubmitFedcmTokenBody(val *SubmitFedcmTokenBody) *NullableSubmitFedcmTokenBody { + return &NullableSubmitFedcmTokenBody{value: val, isSet: true} +} + +func (v NullableSubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { + return json.Marshal(v.value) +} + +func (v *NullableSubmitFedcmTokenBody) UnmarshalJSON(src []byte) error { + v.isSet = true + return json.Unmarshal(src, &v.value) +} diff --git a/internal/client-go/model_update_login_flow_with_oidc_method.go b/internal/client-go/model_update_login_flow_with_oidc_method.go index cdd5c665bdc5..c7ebbec5e248 100644 --- a/internal/client-go/model_update_login_flow_with_oidc_method.go +++ b/internal/client-go/model_update_login_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateLoginFlowWithOidcMethod Update Login Flow with OpenID Connect Method type UpdateLoginFlowWithOidcMethod struct { + // The Provider to register with + Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` - // The provider to register with - Provider string `json:"provider"` // The identity traits. This is a placeholder for the registration flow. Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateLoginFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateLoginFlowWithOidcMethod(method string, provider string) *UpdateLoginFlowWithOidcMethod { +func NewUpdateLoginFlowWithOidcMethod(provider string, method string) *UpdateLoginFlowWithOidcMethod { this := UpdateLoginFlowWithOidcMethod{} - this.Method = method this.Provider = provider + this.Method = method return &this } @@ -54,6 +54,30 @@ func NewUpdateLoginFlowWithOidcMethodWithDefaults() *UpdateLoginFlowWithOidcMeth return &this } +// GetProvider returns the Provider field value +func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -174,30 +198,6 @@ func (o *UpdateLoginFlowWithOidcMethod) SetMethod(v string) { o.Method = v } -// GetProvider returns the Provider field value -func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,6 +296,9 @@ func (o *UpdateLoginFlowWithOidcMethod) SetUpstreamParameters(v map[string]inter func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} + if true { + toSerialize["Provider"] = o.Provider + } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -308,9 +311,6 @@ func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } - if true { - toSerialize["provider"] = o.Provider - } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/client-go/model_update_registration_flow_with_oidc_method.go b/internal/client-go/model_update_registration_flow_with_oidc_method.go index 2ee32605fee6..d96f8bb21777 100644 --- a/internal/client-go/model_update_registration_flow_with_oidc_method.go +++ b/internal/client-go/model_update_registration_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateRegistrationFlowWithOidcMethod Update Registration Flow with OpenID Connect Method type UpdateRegistrationFlowWithOidcMethod struct { + // The Provider to register with + Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and is required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and is required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` - // The provider to register with - Provider string `json:"provider"` // The identity traits Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateRegistrationFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateRegistrationFlowWithOidcMethod(method string, provider string) *UpdateRegistrationFlowWithOidcMethod { +func NewUpdateRegistrationFlowWithOidcMethod(provider string, method string) *UpdateRegistrationFlowWithOidcMethod { this := UpdateRegistrationFlowWithOidcMethod{} - this.Method = method this.Provider = provider + this.Method = method return &this } @@ -54,6 +54,30 @@ func NewUpdateRegistrationFlowWithOidcMethodWithDefaults() *UpdateRegistrationFl return &this } +// GetProvider returns the Provider field value +func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -174,30 +198,6 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetMethod(v string) { o.Method = v } -// GetProvider returns the Provider field value -func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,6 +296,9 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetUpstreamParameters(v map[strin func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} + if true { + toSerialize["Provider"] = o.Provider + } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -308,9 +311,6 @@ func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } - if true { - toSerialize["provider"] = o.Provider - } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/client-go/model_update_settings_flow_with_oidc_method.go b/internal/client-go/model_update_settings_flow_with_oidc_method.go index c54a0d1251f3..6a1650c5c317 100644 --- a/internal/client-go/model_update_settings_flow_with_oidc_method.go +++ b/internal/client-go/model_update_settings_flow_with_oidc_method.go @@ -19,7 +19,7 @@ import ( type UpdateSettingsFlowWithOidcMethod struct { // Flow ID is the flow's ID. in: query Flow *string `json:"flow,omitempty"` - // Link this provider Either this or `unlink` must be set. type: string in: body + // Link this Provider Either this or `unlink` must be set. type: string in: body Link *string `json:"link,omitempty"` // Method Should be set to profile when trying to update a profile. Method string `json:"method"` @@ -27,9 +27,9 @@ type UpdateSettingsFlowWithOidcMethod struct { Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // Unlink this provider Either this or `link` must be set. type: string in: body + // Unlink this Provider Either this or `link` must be set. type: string in: body Unlink *string `json:"unlink,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } diff --git a/internal/httpclient/.openapi-generator/FILES b/internal/httpclient/.openapi-generator/FILES index 118cf9b06463..eef4b6b4dfe9 100644 --- a/internal/httpclient/.openapi-generator/FILES +++ b/internal/httpclient/.openapi-generator/FILES @@ -35,6 +35,7 @@ docs/ErrorGeneric.md docs/FlowError.md docs/FrontendAPI.md docs/GenericError.md +docs/GetParametersResponse.md docs/GetVersion200Response.md docs/HealthNotReadyStatus.md docs/HealthStatus.md @@ -70,6 +71,7 @@ docs/OAuth2ConsentRequestOpenIDConnectContext.md docs/OAuth2LoginRequest.md docs/PatchIdentitiesBody.md docs/PerformNativeLogoutBody.md +docs/Provider.md docs/RecoveryCodeForIdentity.md docs/RecoveryFlow.md docs/RecoveryFlowState.md @@ -83,6 +85,7 @@ docs/SessionAuthenticationMethod.md docs/SessionDevice.md docs/SettingsFlow.md docs/SettingsFlowState.md +docs/SubmitFedcmTokenBody.md docs/SuccessfulCodeExchangeResponse.md docs/SuccessfulNativeLogin.md docs/SuccessfulNativeRegistration.md @@ -160,6 +163,7 @@ model_error_flow_replaced.go model_error_generic.go model_flow_error.go model_generic_error.go +model_get_parameters_response.go model_get_version_200_response.go model_health_not_ready_status.go model_health_status.go @@ -193,6 +197,7 @@ model_o_auth2_consent_request_open_id_connect_context.go model_o_auth2_login_request.go model_patch_identities_body.go model_perform_native_logout_body.go +model_provider.go model_recovery_code_for_identity.go model_recovery_flow.go model_recovery_flow_state.go @@ -206,6 +211,7 @@ model_session_authentication_method.go model_session_device.go model_settings_flow.go model_settings_flow_state.go +model_submit_fedcm_token_body.go model_successful_code_exchange_response.go model_successful_native_login.go model_successful_native_registration.go diff --git a/internal/httpclient/README.md b/internal/httpclient/README.md index 97593523117a..76576250b664 100644 --- a/internal/httpclient/README.md +++ b/internal/httpclient/README.md @@ -95,6 +95,7 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**DisableMyOtherSessions**](docs/FrontendAPI.md#disablemyothersessions) | **Delete** /sessions | Disable my other sessions *FrontendAPI* | [**DisableMySession**](docs/FrontendAPI.md#disablemysession) | **Delete** /sessions/{id} | Disable one of my sessions *FrontendAPI* | [**ExchangeSessionToken**](docs/FrontendAPI.md#exchangesessiontoken) | **Get** /sessions/token-exchange | Exchange Session Token +*FrontendAPI* | [**GetFedcmParameters**](docs/FrontendAPI.md#getfedcmparameters) | **Get** /self-service/fed-cm/parameters | Get FedCM Parameters *FrontendAPI* | [**GetFlowError**](docs/FrontendAPI.md#getflowerror) | **Get** /self-service/errors | Get User-Flow Errors *FrontendAPI* | [**GetLoginFlow**](docs/FrontendAPI.md#getloginflow) | **Get** /self-service/login/flows | Get Login Flow *FrontendAPI* | [**GetRecoveryFlow**](docs/FrontendAPI.md#getrecoveryflow) | **Get** /self-service/recovery/flows | Get Recovery Flow @@ -104,6 +105,7 @@ Class | Method | HTTP request | Description *FrontendAPI* | [**GetWebAuthnJavaScript**](docs/FrontendAPI.md#getwebauthnjavascript) | **Get** /.well-known/ory/webauthn.js | Get WebAuthn JavaScript *FrontendAPI* | [**ListMySessions**](docs/FrontendAPI.md#listmysessions) | **Get** /sessions | Get My Active Sessions *FrontendAPI* | [**PerformNativeLogout**](docs/FrontendAPI.md#performnativelogout) | **Delete** /self-service/logout/api | Perform Logout for Native Apps +*FrontendAPI* | [**SubmitFedcmToken**](docs/FrontendAPI.md#submitfedcmtoken) | **Post** /self-service/fed-cm/token | Submit a FedCM token *FrontendAPI* | [**ToSession**](docs/FrontendAPI.md#tosession) | **Get** /sessions/whoami | Check Who the Current HTTP Session Belongs To *FrontendAPI* | [**UpdateLoginFlow**](docs/FrontendAPI.md#updateloginflow) | **Post** /self-service/login | Submit a Login Flow *FrontendAPI* | [**UpdateLogoutFlow**](docs/FrontendAPI.md#updatelogoutflow) | **Get** /self-service/logout | Update Logout Flow @@ -160,6 +162,7 @@ Class | Method | HTTP request | Description - [ErrorGeneric](docs/ErrorGeneric.md) - [FlowError](docs/FlowError.md) - [GenericError](docs/GenericError.md) + - [GetParametersResponse](docs/GetParametersResponse.md) - [GetVersion200Response](docs/GetVersion200Response.md) - [HealthNotReadyStatus](docs/HealthNotReadyStatus.md) - [HealthStatus](docs/HealthStatus.md) @@ -193,6 +196,7 @@ Class | Method | HTTP request | Description - [OAuth2LoginRequest](docs/OAuth2LoginRequest.md) - [PatchIdentitiesBody](docs/PatchIdentitiesBody.md) - [PerformNativeLogoutBody](docs/PerformNativeLogoutBody.md) + - [Provider](docs/Provider.md) - [RecoveryCodeForIdentity](docs/RecoveryCodeForIdentity.md) - [RecoveryFlow](docs/RecoveryFlow.md) - [RecoveryFlowState](docs/RecoveryFlowState.md) @@ -206,6 +210,7 @@ Class | Method | HTTP request | Description - [SessionDevice](docs/SessionDevice.md) - [SettingsFlow](docs/SettingsFlow.md) - [SettingsFlowState](docs/SettingsFlowState.md) + - [SubmitFedcmTokenBody](docs/SubmitFedcmTokenBody.md) - [SuccessfulCodeExchangeResponse](docs/SuccessfulCodeExchangeResponse.md) - [SuccessfulNativeLogin](docs/SuccessfulNativeLogin.md) - [SuccessfulNativeRegistration](docs/SuccessfulNativeRegistration.md) diff --git a/internal/httpclient/api_frontend.go b/internal/httpclient/api_frontend.go index 97266e9c4c94..2faad9a5bd32 100644 --- a/internal/httpclient/api_frontend.go +++ b/internal/httpclient/api_frontend.go @@ -394,6 +394,20 @@ type FrontendAPI interface { */ ExchangeSessionTokenExecute(r FrontendAPIApiExchangeSessionTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) + /* + * GetFedcmParameters Get FedCM Parameters + * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiGetFedcmParametersRequest + */ + GetFedcmParameters(ctx context.Context) FrontendAPIApiGetFedcmParametersRequest + + /* + * GetFedcmParametersExecute executes the request + * @return GetParametersResponse + */ + GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) + /* * GetFlowError Get User-Flow Errors * This endpoint returns the error associated with a user-facing self service errors. @@ -637,6 +651,23 @@ type FrontendAPI interface { */ PerformNativeLogoutExecute(r FrontendAPIApiPerformNativeLogoutRequest) (*http.Response, error) + /* + * SubmitFedcmToken Submit a FedCM token + * Use this endpoint to submit a token from a FedCM provider through + `navigator.credentials.get` and log the user in. The parameters from + `navigator.credentials.get` must have come from `GET + self-service/fed-cm/parameters`. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiSubmitFedcmTokenRequest + */ + SubmitFedcmToken(ctx context.Context) FrontendAPIApiSubmitFedcmTokenRequest + + /* + * SubmitFedcmTokenExecute executes the request + * @return SuccessfulNativeLogin + */ + SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcmTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) + /* * ToSession Check Who the Current HTTP Session Belongs To * Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated. @@ -3104,6 +3135,124 @@ func (a *FrontendAPIService) ExchangeSessionTokenExecute(r FrontendAPIApiExchang return localVarReturnValue, localVarHTTPResponse, nil } +type FrontendAPIApiGetFedcmParametersRequest struct { + ctx context.Context + ApiService FrontendAPI +} + +func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetParametersResponse, *http.Response, error) { + return r.ApiService.GetFedcmParametersExecute(r) +} + +/* + * GetFedcmParameters Get FedCM Parameters + * This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. + * @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + * @return FrontendAPIApiGetFedcmParametersRequest + */ +func (a *FrontendAPIService) GetFedcmParameters(ctx context.Context) FrontendAPIApiGetFedcmParametersRequest { + return FrontendAPIApiGetFedcmParametersRequest{ + ApiService: a, + ctx: ctx, + } +} + +/* + * Execute executes the request + * @return GetParametersResponse + */ +func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) { + var ( + localVarHTTPMethod = http.MethodGet + localVarPostBody interface{} + localVarFormFileName string + localVarFileName string + localVarFileBytes []byte + localVarReturnValue *GetParametersResponse + ) + + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.GetFedcmParameters") + if err != nil { + return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} + } + + localVarPath := localBasePath + "/self-service/fed-cm/parameters" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := url.Values{} + localVarFormParams := url.Values{} + + // to determine the Content-Type header + localVarHTTPContentTypes := []string{} + + // set Content-Type header + localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) + if localVarHTTPContentType != "" { + localVarHeaderParams["Content-Type"] = localVarHTTPContentType + } + + // to determine the Accept header + localVarHTTPHeaderAccepts := []string{"application/json"} + + // set Accept header + localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts) + if localVarHTTPHeaderAccept != "" { + localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept + } + req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.client.callAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024)) + localVarHTTPResponse.Body.Close() + localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody)) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 400 { + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + type FrontendAPIApiGetFlowErrorRequest struct { ctx context.Context ApiService FrontendAPI @@ -4539,6 +4688,159 @@ func (a *FrontendAPIService) PerformNativeLogoutExecute(r FrontendAPIApiPerformN return localVarHTTPResponse, nil } +type FrontendAPIApiSubmitFedcmTokenRequest struct { + ctx context.Context + ApiService FrontendAPI + submitFedcmTokenBody *SubmitFedcmTokenBody +} + +func (r FrontendAPIApiSubmitFedcmTokenRequest) SubmitFedcmTokenBody(submitFedcmTokenBody SubmitFedcmTokenBody) FrontendAPIApiSubmitFedcmTokenRequest { + r.submitFedcmTokenBody = &submitFedcmTokenBody + return r +} + +func (r FrontendAPIApiSubmitFedcmTokenRequest) Execute() (*SuccessfulNativeLogin, *http.Response, error) { + return r.ApiService.SubmitFedcmTokenExecute(r) +} + +/* + - SubmitFedcmToken Submit a FedCM token + - Use this endpoint to submit a token from a FedCM provider through + +`navigator.credentials.get` and log the user in. The parameters from +`navigator.credentials.get` must have come from `GET +self-service/fed-cm/parameters`. + - @param ctx context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background(). + - @return FrontendAPIApiSubmitFedcmTokenRequest +*/ +func (a *FrontendAPIService) SubmitFedcmToken(ctx context.Context) FrontendAPIApiSubmitFedcmTokenRequest { + return FrontendAPIApiSubmitFedcmTokenRequest{ + ApiService: a, + ctx: ctx, + } +} + +/* + * Execute executes the request + * @return SuccessfulNativeLogin + */ +func (a *FrontendAPIService) SubmitFedcmTokenExecute(r FrontendAPIApiSubmitFedcmTokenRequest) (*SuccessfulNativeLogin, *http.Response, error) { + var ( + localVarHTTPMethod = http.MethodPost + localVarPostBody interface{} + localVarFormFileName string + localVarFileName string + localVarFileBytes []byte + localVarReturnValue *SuccessfulNativeLogin + ) + + localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.SubmitFedcmToken") + if err != nil { + return localVarReturnValue, nil, &GenericOpenAPIError{error: err.Error()} + } + + localVarPath := localBasePath + "/self-service/fed-cm/token" + + localVarHeaderParams := make(map[string]string) + localVarQueryParams := url.Values{} + localVarFormParams := url.Values{} + if r.submitFedcmTokenBody == nil { + return localVarReturnValue, nil, reportError("submitFedcmTokenBody is required and must be specified") + } + + // to determine the Content-Type header + localVarHTTPContentTypes := []string{"application/json", "application/x-www-form-urlencoded"} + + // set Content-Type header + localVarHTTPContentType := selectHeaderContentType(localVarHTTPContentTypes) + if localVarHTTPContentType != "" { + localVarHeaderParams["Content-Type"] = localVarHTTPContentType + } + + // to determine the Accept header + localVarHTTPHeaderAccepts := []string{"application/json"} + + // set Accept header + localVarHTTPHeaderAccept := selectHeaderAccept(localVarHTTPHeaderAccepts) + if localVarHTTPHeaderAccept != "" { + localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept + } + // body params + localVarPostBody = r.submitFedcmTokenBody + req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes) + if err != nil { + return localVarReturnValue, nil, err + } + + localVarHTTPResponse, err := a.client.callAPI(req) + if err != nil || localVarHTTPResponse == nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024)) + localVarHTTPResponse.Body.Close() + localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody)) + if err != nil { + return localVarReturnValue, localVarHTTPResponse, err + } + + if localVarHTTPResponse.StatusCode >= 300 { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: localVarHTTPResponse.Status, + } + if localVarHTTPResponse.StatusCode == 400 { + var v LoginFlow + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + if localVarHTTPResponse.StatusCode == 410 { + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + if localVarHTTPResponse.StatusCode == 422 { + var v ErrorBrowserLocationChangeRequired + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + var v ErrorGeneric + err = a.client.decode(&v, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr.error = err.Error() + return localVarReturnValue, localVarHTTPResponse, newErr + } + newErr.model = v + return localVarReturnValue, localVarHTTPResponse, newErr + } + + err = a.client.decode(&localVarReturnValue, localVarBody, localVarHTTPResponse.Header.Get("Content-Type")) + if err != nil { + newErr := &GenericOpenAPIError{ + body: localVarBody, + error: err.Error(), + } + return localVarReturnValue, localVarHTTPResponse, newErr + } + + return localVarReturnValue, localVarHTTPResponse, nil +} + type FrontendAPIApiToSessionRequest struct { ctx context.Context ApiService FrontendAPI diff --git a/internal/httpclient/model_get_parameters_response.go b/internal/httpclient/model_get_parameters_response.go new file mode 100644 index 000000000000..17616c790407 --- /dev/null +++ b/internal/httpclient/model_get_parameters_response.go @@ -0,0 +1,150 @@ +/* + * Ory Identities API + * + * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. + * + * API version: + * Contact: office@ory.sh + */ + +// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT. + +package client + +import ( + "encoding/json" +) + +// GetParametersResponse Contains a list of all available FedCM providers. +type GetParametersResponse struct { + CsrfToken *string `json:"csrf_token,omitempty"` + Providers []Provider `json:"providers,omitempty"` +} + +// NewGetParametersResponse instantiates a new GetParametersResponse object +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed +func NewGetParametersResponse() *GetParametersResponse { + this := GetParametersResponse{} + return &this +} + +// NewGetParametersResponseWithDefaults instantiates a new GetParametersResponse object +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set +func NewGetParametersResponseWithDefaults() *GetParametersResponse { + this := GetParametersResponse{} + return &this +} + +// GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. +func (o *GetParametersResponse) GetCsrfToken() string { + if o == nil || o.CsrfToken == nil { + var ret string + return ret + } + return *o.CsrfToken +} + +// GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *GetParametersResponse) GetCsrfTokenOk() (*string, bool) { + if o == nil || o.CsrfToken == nil { + return nil, false + } + return o.CsrfToken, true +} + +// HasCsrfToken returns a boolean if a field has been set. +func (o *GetParametersResponse) HasCsrfToken() bool { + if o != nil && o.CsrfToken != nil { + return true + } + + return false +} + +// SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. +func (o *GetParametersResponse) SetCsrfToken(v string) { + o.CsrfToken = &v +} + +// GetProviders returns the Providers field value if set, zero value otherwise. +func (o *GetParametersResponse) GetProviders() []Provider { + if o == nil || o.Providers == nil { + var ret []Provider + return ret + } + return o.Providers +} + +// GetProvidersOk returns a tuple with the Providers field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *GetParametersResponse) GetProvidersOk() ([]Provider, bool) { + if o == nil || o.Providers == nil { + return nil, false + } + return o.Providers, true +} + +// HasProviders returns a boolean if a field has been set. +func (o *GetParametersResponse) HasProviders() bool { + if o != nil && o.Providers != nil { + return true + } + + return false +} + +// SetProviders gets a reference to the given []Provider and assigns it to the Providers field. +func (o *GetParametersResponse) SetProviders(v []Provider) { + o.Providers = v +} + +func (o GetParametersResponse) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.CsrfToken != nil { + toSerialize["csrf_token"] = o.CsrfToken + } + if o.Providers != nil { + toSerialize["providers"] = o.Providers + } + return json.Marshal(toSerialize) +} + +type NullableGetParametersResponse struct { + value *GetParametersResponse + isSet bool +} + +func (v NullableGetParametersResponse) Get() *GetParametersResponse { + return v.value +} + +func (v *NullableGetParametersResponse) Set(val *GetParametersResponse) { + v.value = val + v.isSet = true +} + +func (v NullableGetParametersResponse) IsSet() bool { + return v.isSet +} + +func (v *NullableGetParametersResponse) Unset() { + v.value = nil + v.isSet = false +} + +func NewNullableGetParametersResponse(val *GetParametersResponse) *NullableGetParametersResponse { + return &NullableGetParametersResponse{value: val, isSet: true} +} + +func (v NullableGetParametersResponse) MarshalJSON() ([]byte, error) { + return json.Marshal(v.value) +} + +func (v *NullableGetParametersResponse) UnmarshalJSON(src []byte) error { + v.isSet = true + return json.Unmarshal(src, &v.value) +} diff --git a/internal/httpclient/model_provider.go b/internal/httpclient/model_provider.go new file mode 100644 index 000000000000..2c9a79590e0e --- /dev/null +++ b/internal/httpclient/model_provider.go @@ -0,0 +1,337 @@ +/* + * Ory Identities API + * + * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. + * + * API version: + * Contact: office@ory.sh + */ + +// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT. + +package client + +import ( + "encoding/json" +) + +// Provider struct for Provider +type Provider struct { + // The RP's client identifier, issued by the IdP. + ClientId *string `json:"client_id,omitempty"` + // A full path of the IdP config file. + ConfigUrl *string `json:"config_url,omitempty"` + // By specifying one of domain_hints values provided by the accounts endpoints, the FedCM dialog selectively shows the specified account. + DomainHint *string `json:"domain_hint,omitempty"` + // Array of strings that specifies the user information (\"name\", \" email\", \"picture\") that RP needs IdP to share with them. Note: Field API is supported by Chrome 132 and later. + Fields []string `json:"fields,omitempty"` + // By specifying one of login_hints values provided by the accounts endpoints, the FedCM dialog selectively shows the specified account. + LoginHint *string `json:"login_hint,omitempty"` + // A random string to ensure the response is issued for this specific request. Prevents replay attacks. + Nonce *string `json:"nonce,omitempty"` + // Custom object that allows to specify additional key-value parameters: scope: A string value containing additional permissions that RP needs to request, for example \" drive.readonly calendar.readonly\" nonce: A random string to ensure the response is issued for this specific request. Prevents replay attacks. Other custom key-value parameters. Note: parameters is supported from Chrome 132. + Parameters *map[string]string `json:"parameters,omitempty"` +} + +// NewProvider instantiates a new Provider object +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed +func NewProvider() *Provider { + this := Provider{} + return &this +} + +// NewProviderWithDefaults instantiates a new Provider object +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set +func NewProviderWithDefaults() *Provider { + this := Provider{} + return &this +} + +// GetClientId returns the ClientId field value if set, zero value otherwise. +func (o *Provider) GetClientId() string { + if o == nil || o.ClientId == nil { + var ret string + return ret + } + return *o.ClientId +} + +// GetClientIdOk returns a tuple with the ClientId field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetClientIdOk() (*string, bool) { + if o == nil || o.ClientId == nil { + return nil, false + } + return o.ClientId, true +} + +// HasClientId returns a boolean if a field has been set. +func (o *Provider) HasClientId() bool { + if o != nil && o.ClientId != nil { + return true + } + + return false +} + +// SetClientId gets a reference to the given string and assigns it to the ClientId field. +func (o *Provider) SetClientId(v string) { + o.ClientId = &v +} + +// GetConfigUrl returns the ConfigUrl field value if set, zero value otherwise. +func (o *Provider) GetConfigUrl() string { + if o == nil || o.ConfigUrl == nil { + var ret string + return ret + } + return *o.ConfigUrl +} + +// GetConfigUrlOk returns a tuple with the ConfigUrl field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetConfigUrlOk() (*string, bool) { + if o == nil || o.ConfigUrl == nil { + return nil, false + } + return o.ConfigUrl, true +} + +// HasConfigUrl returns a boolean if a field has been set. +func (o *Provider) HasConfigUrl() bool { + if o != nil && o.ConfigUrl != nil { + return true + } + + return false +} + +// SetConfigUrl gets a reference to the given string and assigns it to the ConfigUrl field. +func (o *Provider) SetConfigUrl(v string) { + o.ConfigUrl = &v +} + +// GetDomainHint returns the DomainHint field value if set, zero value otherwise. +func (o *Provider) GetDomainHint() string { + if o == nil || o.DomainHint == nil { + var ret string + return ret + } + return *o.DomainHint +} + +// GetDomainHintOk returns a tuple with the DomainHint field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetDomainHintOk() (*string, bool) { + if o == nil || o.DomainHint == nil { + return nil, false + } + return o.DomainHint, true +} + +// HasDomainHint returns a boolean if a field has been set. +func (o *Provider) HasDomainHint() bool { + if o != nil && o.DomainHint != nil { + return true + } + + return false +} + +// SetDomainHint gets a reference to the given string and assigns it to the DomainHint field. +func (o *Provider) SetDomainHint(v string) { + o.DomainHint = &v +} + +// GetFields returns the Fields field value if set, zero value otherwise. +func (o *Provider) GetFields() []string { + if o == nil || o.Fields == nil { + var ret []string + return ret + } + return o.Fields +} + +// GetFieldsOk returns a tuple with the Fields field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetFieldsOk() ([]string, bool) { + if o == nil || o.Fields == nil { + return nil, false + } + return o.Fields, true +} + +// HasFields returns a boolean if a field has been set. +func (o *Provider) HasFields() bool { + if o != nil && o.Fields != nil { + return true + } + + return false +} + +// SetFields gets a reference to the given []string and assigns it to the Fields field. +func (o *Provider) SetFields(v []string) { + o.Fields = v +} + +// GetLoginHint returns the LoginHint field value if set, zero value otherwise. +func (o *Provider) GetLoginHint() string { + if o == nil || o.LoginHint == nil { + var ret string + return ret + } + return *o.LoginHint +} + +// GetLoginHintOk returns a tuple with the LoginHint field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetLoginHintOk() (*string, bool) { + if o == nil || o.LoginHint == nil { + return nil, false + } + return o.LoginHint, true +} + +// HasLoginHint returns a boolean if a field has been set. +func (o *Provider) HasLoginHint() bool { + if o != nil && o.LoginHint != nil { + return true + } + + return false +} + +// SetLoginHint gets a reference to the given string and assigns it to the LoginHint field. +func (o *Provider) SetLoginHint(v string) { + o.LoginHint = &v +} + +// GetNonce returns the Nonce field value if set, zero value otherwise. +func (o *Provider) GetNonce() string { + if o == nil || o.Nonce == nil { + var ret string + return ret + } + return *o.Nonce +} + +// GetNonceOk returns a tuple with the Nonce field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetNonceOk() (*string, bool) { + if o == nil || o.Nonce == nil { + return nil, false + } + return o.Nonce, true +} + +// HasNonce returns a boolean if a field has been set. +func (o *Provider) HasNonce() bool { + if o != nil && o.Nonce != nil { + return true + } + + return false +} + +// SetNonce gets a reference to the given string and assigns it to the Nonce field. +func (o *Provider) SetNonce(v string) { + o.Nonce = &v +} + +// GetParameters returns the Parameters field value if set, zero value otherwise. +func (o *Provider) GetParameters() map[string]string { + if o == nil || o.Parameters == nil { + var ret map[string]string + return ret + } + return *o.Parameters +} + +// GetParametersOk returns a tuple with the Parameters field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *Provider) GetParametersOk() (*map[string]string, bool) { + if o == nil || o.Parameters == nil { + return nil, false + } + return o.Parameters, true +} + +// HasParameters returns a boolean if a field has been set. +func (o *Provider) HasParameters() bool { + if o != nil && o.Parameters != nil { + return true + } + + return false +} + +// SetParameters gets a reference to the given map[string]string and assigns it to the Parameters field. +func (o *Provider) SetParameters(v map[string]string) { + o.Parameters = &v +} + +func (o Provider) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.ClientId != nil { + toSerialize["client_id"] = o.ClientId + } + if o.ConfigUrl != nil { + toSerialize["config_url"] = o.ConfigUrl + } + if o.DomainHint != nil { + toSerialize["domain_hint"] = o.DomainHint + } + if o.Fields != nil { + toSerialize["fields"] = o.Fields + } + if o.LoginHint != nil { + toSerialize["login_hint"] = o.LoginHint + } + if o.Nonce != nil { + toSerialize["nonce"] = o.Nonce + } + if o.Parameters != nil { + toSerialize["parameters"] = o.Parameters + } + return json.Marshal(toSerialize) +} + +type NullableProvider struct { + value *Provider + isSet bool +} + +func (v NullableProvider) Get() *Provider { + return v.value +} + +func (v *NullableProvider) Set(val *Provider) { + v.value = val + v.isSet = true +} + +func (v NullableProvider) IsSet() bool { + return v.isSet +} + +func (v *NullableProvider) Unset() { + v.value = nil + v.isSet = false +} + +func NewNullableProvider(val *Provider) *NullableProvider { + return &NullableProvider{value: val, isSet: true} +} + +func (v NullableProvider) MarshalJSON() ([]byte, error) { + return json.Marshal(v.value) +} + +func (v *NullableProvider) UnmarshalJSON(src []byte) error { + v.isSet = true + return json.Unmarshal(src, &v.value) +} diff --git a/internal/httpclient/model_submit_fedcm_token_body.go b/internal/httpclient/model_submit_fedcm_token_body.go new file mode 100644 index 000000000000..8b2fbc54c70f --- /dev/null +++ b/internal/httpclient/model_submit_fedcm_token_body.go @@ -0,0 +1,114 @@ +/* + * Ory Identities API + * + * This is the API specification for Ory Identities with features such as registration, login, recovery, account verification, profile settings, password reset, identity management, session management, email and sms delivery, and more. + * + * API version: + * Contact: office@ory.sh + */ + +// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT. + +package client + +import ( + "encoding/json" +) + +// SubmitFedcmTokenBody struct for SubmitFedcmTokenBody +type SubmitFedcmTokenBody struct { + Token *string `json:"token,omitempty"` +} + +// NewSubmitFedcmTokenBody instantiates a new SubmitFedcmTokenBody object +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed +func NewSubmitFedcmTokenBody() *SubmitFedcmTokenBody { + this := SubmitFedcmTokenBody{} + return &this +} + +// NewSubmitFedcmTokenBodyWithDefaults instantiates a new SubmitFedcmTokenBody object +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set +func NewSubmitFedcmTokenBodyWithDefaults() *SubmitFedcmTokenBody { + this := SubmitFedcmTokenBody{} + return &this +} + +// GetToken returns the Token field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetToken() string { + if o == nil || o.Token == nil { + var ret string + return ret + } + return *o.Token +} + +// GetTokenOk returns a tuple with the Token field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetTokenOk() (*string, bool) { + if o == nil || o.Token == nil { + return nil, false + } + return o.Token, true +} + +// HasToken returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasToken() bool { + if o != nil && o.Token != nil { + return true + } + + return false +} + +// SetToken gets a reference to the given string and assigns it to the Token field. +func (o *SubmitFedcmTokenBody) SetToken(v string) { + o.Token = &v +} + +func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.Token != nil { + toSerialize["token"] = o.Token + } + return json.Marshal(toSerialize) +} + +type NullableSubmitFedcmTokenBody struct { + value *SubmitFedcmTokenBody + isSet bool +} + +func (v NullableSubmitFedcmTokenBody) Get() *SubmitFedcmTokenBody { + return v.value +} + +func (v *NullableSubmitFedcmTokenBody) Set(val *SubmitFedcmTokenBody) { + v.value = val + v.isSet = true +} + +func (v NullableSubmitFedcmTokenBody) IsSet() bool { + return v.isSet +} + +func (v *NullableSubmitFedcmTokenBody) Unset() { + v.value = nil + v.isSet = false +} + +func NewNullableSubmitFedcmTokenBody(val *SubmitFedcmTokenBody) *NullableSubmitFedcmTokenBody { + return &NullableSubmitFedcmTokenBody{value: val, isSet: true} +} + +func (v NullableSubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { + return json.Marshal(v.value) +} + +func (v *NullableSubmitFedcmTokenBody) UnmarshalJSON(src []byte) error { + v.isSet = true + return json.Unmarshal(src, &v.value) +} diff --git a/internal/httpclient/model_update_login_flow_with_oidc_method.go b/internal/httpclient/model_update_login_flow_with_oidc_method.go index cdd5c665bdc5..c7ebbec5e248 100644 --- a/internal/httpclient/model_update_login_flow_with_oidc_method.go +++ b/internal/httpclient/model_update_login_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateLoginFlowWithOidcMethod Update Login Flow with OpenID Connect Method type UpdateLoginFlowWithOidcMethod struct { + // The Provider to register with + Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` - // The provider to register with - Provider string `json:"provider"` // The identity traits. This is a placeholder for the registration flow. Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateLoginFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateLoginFlowWithOidcMethod(method string, provider string) *UpdateLoginFlowWithOidcMethod { +func NewUpdateLoginFlowWithOidcMethod(provider string, method string) *UpdateLoginFlowWithOidcMethod { this := UpdateLoginFlowWithOidcMethod{} - this.Method = method this.Provider = provider + this.Method = method return &this } @@ -54,6 +54,30 @@ func NewUpdateLoginFlowWithOidcMethodWithDefaults() *UpdateLoginFlowWithOidcMeth return &this } +// GetProvider returns the Provider field value +func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -174,30 +198,6 @@ func (o *UpdateLoginFlowWithOidcMethod) SetMethod(v string) { o.Method = v } -// GetProvider returns the Provider field value -func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,6 +296,9 @@ func (o *UpdateLoginFlowWithOidcMethod) SetUpstreamParameters(v map[string]inter func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} + if true { + toSerialize["Provider"] = o.Provider + } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -308,9 +311,6 @@ func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } - if true { - toSerialize["provider"] = o.Provider - } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/httpclient/model_update_registration_flow_with_oidc_method.go b/internal/httpclient/model_update_registration_flow_with_oidc_method.go index 2ee32605fee6..d96f8bb21777 100644 --- a/internal/httpclient/model_update_registration_flow_with_oidc_method.go +++ b/internal/httpclient/model_update_registration_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateRegistrationFlowWithOidcMethod Update Registration Flow with OpenID Connect Method type UpdateRegistrationFlowWithOidcMethod struct { + // The Provider to register with + Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and is required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and is required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` - // The provider to register with - Provider string `json:"provider"` // The identity traits Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateRegistrationFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateRegistrationFlowWithOidcMethod(method string, provider string) *UpdateRegistrationFlowWithOidcMethod { +func NewUpdateRegistrationFlowWithOidcMethod(provider string, method string) *UpdateRegistrationFlowWithOidcMethod { this := UpdateRegistrationFlowWithOidcMethod{} - this.Method = method this.Provider = provider + this.Method = method return &this } @@ -54,6 +54,30 @@ func NewUpdateRegistrationFlowWithOidcMethodWithDefaults() *UpdateRegistrationFl return &this } +// GetProvider returns the Provider field value +func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -174,30 +198,6 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetMethod(v string) { o.Method = v } -// GetProvider returns the Provider field value -func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,6 +296,9 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetUpstreamParameters(v map[strin func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} + if true { + toSerialize["Provider"] = o.Provider + } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -308,9 +311,6 @@ func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } - if true { - toSerialize["provider"] = o.Provider - } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/httpclient/model_update_settings_flow_with_oidc_method.go b/internal/httpclient/model_update_settings_flow_with_oidc_method.go index c54a0d1251f3..6a1650c5c317 100644 --- a/internal/httpclient/model_update_settings_flow_with_oidc_method.go +++ b/internal/httpclient/model_update_settings_flow_with_oidc_method.go @@ -19,7 +19,7 @@ import ( type UpdateSettingsFlowWithOidcMethod struct { // Flow ID is the flow's ID. in: query Flow *string `json:"flow,omitempty"` - // Link this provider Either this or `unlink` must be set. type: string in: body + // Link this Provider Either this or `unlink` must be set. type: string in: body Link *string `json:"link,omitempty"` // Method Should be set to profile when trying to update a profile. Method string `json:"method"` @@ -27,9 +27,9 @@ type UpdateSettingsFlowWithOidcMethod struct { Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // Unlink this provider Either this or `link` must be set. type: string in: body + // Unlink this Provider Either this or `link` must be set. type: string in: body Unlink *string `json:"unlink,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } diff --git a/selfservice/strategy/oidc/fedcm/definitions.go b/selfservice/strategy/oidc/fedcm/definitions.go new file mode 100644 index 000000000000..aa6a90ebe6e7 --- /dev/null +++ b/selfservice/strategy/oidc/fedcm/definitions.go @@ -0,0 +1,121 @@ +// Copyright © 2025 Ory Corp +// SPDX-License-Identifier: Apache-2.0 + +package fedcm + +type Provider struct { + // A full path of the IdP config file. + ConfigURL string `json:"config_url"` + + // The RP's client identifier, issued by the IdP. + ClientID string `json:"client_id"` + + // A random string to ensure the response is issued for this specific request. + // Prevents replay attacks. + Nonce string `json:"nonce"` + + // By specifying one of login_hints values provided by the accounts endpoints, + // the FedCM dialog selectively shows the specified account. + LoginHint string `json:"login_hint,omitempty"` + + // By specifying one of domain_hints values provided by the accounts endpoints, + // the FedCM dialog selectively shows the specified account. + DomainHint string `json:"domain_hint,omitempty"` + + // Array of strings that specifies the user information ("name", " email", + // "picture") that RP needs IdP to share with them. + // + // Note: Field API is supported by Chrome 132 and later. + Fields []string `json:"fields,omitempty"` + + // Custom object that allows to specify additional key-value parameters: + // - scope: A string value containing additional permissions that RP needs to + // request, for example " drive.readonly calendar.readonly" + // - nonce: A random string to ensure the response is issued for this specific + // request. Prevents replay attacks. + // + // Other custom key-value parameters. + // + // Note: parameters is supported from Chrome 132. + Parameters map[string]string `json:"parameters,omitempty"` +} + +// GetParametersResponse +// +// Contains a list of all available FedCM providers. +// +// swagger:model getParametersResponse +type GetParametersResponse struct { + Providers []Provider `json:"providers"` + CSRFToken string `json:"csrf_token"` +} + +// swagger:route GET /self-service/fed-cm/parameters frontend getFedcmParameters +// +// # Get FedCM Parameters +// +// This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network. +// +// Consumes: +// - application/json +// +// Produces: +// - application/json +// +// Schemes: http, https +// +// Responses: +// 200: getParametersResponse +// 400: errorGeneric +// default: errorGeneric + +type SubmitFedcmTokenBody struct { + // The provider to log in with. + Provider string `json:"provider"` + + // Token contains the result of `navigator.credentials.get`. + Token string `json:"token"` + + // Nonce is the nonce, used when generating the IDToken. If the provider supports + // nonce validation, the nonce will be validated against this value and required. + Nonce string `json:"nonce"` + + // CSRFToken is the anti-CSRF token. + CSRFToken string `json:"csrf_token"` +} + +// swagger:parameters submitFedcmToken +type submitFedcmToken struct { + // in: body + // required: true + Body SubmitFedcmTokenBody +} + +// swagger:route POST /self-service/fed-cm/token frontend submitFedcmToken +// +// # Submit a FedCM token +// +// Use this endpoint to submit a token from a FedCM provider through +// `navigator.credentials.get` and log the user in. The parameters from +// `navigator.credentials.get` must have come from `GET +// /self-service/fed-cm/parameters`. +// +// Consumes: +// - application/json +// - application/x-www-form-urlencoded +// +// Produces: +// - application/json +// +// Schemes: http, https +// +// Header: +// - Set-Cookie +// +// Responses: +// 200: successfulNativeLogin +// 303: emptyResponse +// 400: loginFlow +// 410: errorGeneric +// 422: errorBrowserLocationChangeRequired +// default: errorGeneric diff --git a/selfservice/strategy/oidc/pkce.go b/selfservice/strategy/oidc/pkce.go index 2b397c8702b7..c14e3d3f01e2 100644 --- a/selfservice/strategy/oidc/pkce.go +++ b/selfservice/strategy/oidc/pkce.go @@ -48,7 +48,7 @@ func maybePKCE(ctx context.Context, d pkceDependencies, _p Provider) (verifier s // autodiscover PKCE support pkceSupported, err := discoverPKCE(ctx, d, p) if err != nil { - d.Logger().WithError(err).Warnf("Failed to autodiscover PKCE support for provider %q. Continuing without PKCE.", p.Config().ID) + d.Logger().WithError(err).Warnf("Failed to autodiscover PKCE support for Provider %q. Continuing without PKCE.", p.Config().ID) return "" } if !pkceSupported { @@ -67,13 +67,13 @@ func discoverPKCE(ctx context.Context, d pkceDependencies, p OAuth2Provider) (pk ctx = gooidc.ClientContext(ctx, d.HTTPClient(ctx).HTTPClient) gp, err := gooidc.NewProvider(ctx, p.Config().IssuerURL) if err != nil { - return false, errors.Wrap(err, "failed to initialize provider") + return false, errors.Wrap(err, "failed to initialize Provider") } var claims struct { CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` } if err := gp.Claims(&claims); err != nil { - return false, errors.Wrap(err, "failed to deserialize provider claims") + return false, errors.Wrap(err, "failed to deserialize Provider claims") } return slices.Contains(claims.CodeChallengeMethodsSupported, "S256"), nil } diff --git a/selfservice/strategy/oidc/provider_apple.go b/selfservice/strategy/oidc/provider_apple.go index 7706eda9d9af..bc5523b22bbd 100644 --- a/selfservice/strategy/oidc/provider_apple.go +++ b/selfservice/strategy/oidc/provider_apple.go @@ -156,13 +156,13 @@ func (a *ProviderApple) DecodeQuery(query url.Values, claims *Claims) { var _ IDTokenVerifier = new(ProviderApple) -const issuerUrlApple = "https://appleid.apple.com" +const issuerURLApple = "https://appleid.apple.com" func (a *ProviderApple) Verify(ctx context.Context, rawIDToken string) (*Claims, error) { keySet := oidc.NewRemoteKeySet(ctx, a.JWKSUrl) - ctx = oidc.ClientContext(ctx, a.reg.HTTPClient(ctx).HTTPClient) - return verifyToken(ctx, keySet, a.config, rawIDToken, issuerUrlApple) + + return verifyToken(ctx, keySet, a.config, rawIDToken, issuerURLApple) } var _ NonceValidationSkipper = new(ProviderApple) diff --git a/selfservice/strategy/oidc/provider_config.go b/selfservice/strategy/oidc/provider_config.go index 92b16fdf5f42..e27dd6db25fc 100644 --- a/selfservice/strategy/oidc/provider_config.go +++ b/selfservice/strategy/oidc/provider_config.go @@ -128,6 +128,10 @@ type Configuration struct { // Instead of /self-service/methods/oidc/callback/, you must use /self-service/methods/oidc/callback // (Note the missing path segment and no trailing slash). PKCE string `json:"pkce"` + + // FedCMConfigURL is the URL to the FedCM IdP configuration file. + // This is only effective in the Ory Network. + FedCMConfigURL string `json:"fedcm_config_url"` } func (p Configuration) Redir(public *url.URL) string { @@ -178,6 +182,7 @@ var supportedProviders = map[string]func(config *Configuration, reg Dependencies "lark": NewProviderLark, "x": NewProviderX, "jackson": NewProviderJackson, + "fedcm-test": NewProviderTestFedcm, } func (c ConfigurationCollection) Provider(id string, reg Dependencies) (Provider, error) { diff --git a/selfservice/strategy/oidc/provider_google.go b/selfservice/strategy/oidc/provider_google.go index 4e009b318380..b1f758bd726b 100644 --- a/selfservice/strategy/oidc/provider_google.go +++ b/selfservice/strategy/oidc/provider_google.go @@ -78,6 +78,7 @@ const issuerUrlGoogle = "https://accounts.google.com" func (p *ProviderGoogle) Verify(ctx context.Context, rawIDToken string) (*Claims, error) { keySet := gooidc.NewRemoteKeySet(ctx, p.JWKSUrl) ctx = gooidc.ClientContext(ctx, p.reg.HTTPClient(ctx).HTTPClient) + return verifyToken(ctx, keySet, p.config, rawIDToken, issuerUrlGoogle) } diff --git a/selfservice/strategy/oidc/provider_netid.go b/selfservice/strategy/oidc/provider_netid.go index d936bf1b361c..93e3f3532cea 100644 --- a/selfservice/strategy/oidc/provider_netid.go +++ b/selfservice/strategy/oidc/provider_netid.go @@ -9,17 +9,16 @@ import ( "fmt" "net/url" "slices" + "testing" - gooidc "github.com/coreos/go-oidc/v3/oidc" - + "github.com/coreos/go-oidc/v3/oidc" "github.com/hashicorp/go-retryablehttp" "github.com/pkg/errors" "golang.org/x/oauth2" - "github.com/ory/x/urlx" - "github.com/ory/herodot" "github.com/ory/x/httpx" + "github.com/ory/x/urlx" ) const ( @@ -38,8 +37,8 @@ func NewProviderNetID( reg Dependencies, ) Provider { config.IssuerURL = fmt.Sprintf("%s://%s/", defaultBrokerScheme, defaultBrokerHost) - if !slices.Contains(config.Scope, gooidc.ScopeOpenID) { - config.Scope = append(config.Scope, gooidc.ScopeOpenID) + if !slices.Contains(config.Scope, oidc.ScopeOpenID) { + config.Scope = append(config.Scope, oidc.ScopeOpenID) } return &ProviderNetID{ @@ -118,6 +117,39 @@ func (n *ProviderNetID) Claims(ctx context.Context, exchange *oauth2.Token, _ ur return &userinfo, nil } +func (n *ProviderNetID) Verify(ctx context.Context, rawIDToken string) (*Claims, error) { + provider, err := n.provider(ctx) + if err != nil { + return nil, err + } + + idToken, err := provider.VerifierContext( + n.withHTTPClientContext(ctx), + &oidc.Config{ + ClientID: n.config.ClientID, + InsecureSkipSignatureCheck: testing.Testing(), + }, + ).Verify(ctx, rawIDToken) + if err != nil { + return nil, err + } + + var ( + claims Claims + rawClaims map[string]any + ) + + if err = idToken.Claims(&claims); err != nil { + return nil, err + } + if err = idToken.Claims(&rawClaims); err != nil { + return nil, err + } + claims.RawClaims = rawClaims + + return &claims, nil +} + func (n *ProviderNetID) brokerURL() *url.URL { return &url.URL{Scheme: defaultBrokerScheme, Host: defaultBrokerHost} } diff --git a/selfservice/strategy/oidc/provider_test_fedcm.go b/selfservice/strategy/oidc/provider_test_fedcm.go new file mode 100644 index 000000000000..5ea002faa74b --- /dev/null +++ b/selfservice/strategy/oidc/provider_test_fedcm.go @@ -0,0 +1,49 @@ +// Copyright © 2023 Ory Corp +// SPDX-License-Identifier: Apache-2.0 + +package oidc + +import ( + "context" + + "github.com/golang-jwt/jwt/v5" +) + +// ProviderTestFedcm is a mock provider to test FedCM. +type ProviderTestFedcm struct { + *ProviderGenericOIDC +} + +var _ OAuth2Provider = (*ProviderTestFedcm)(nil) + +func NewProviderTestFedcm( + config *Configuration, + reg Dependencies, +) Provider { + return &ProviderTestFedcm{ + ProviderGenericOIDC: &ProviderGenericOIDC{ + config: config, + reg: reg, + }, + } +} + +func (g *ProviderTestFedcm) Verify(_ context.Context, rawIDToken string) (claims *Claims, err error) { + rawClaims := &struct { + Claims + jwt.MapClaims + }{} + _, err = jwt.ParseWithClaims(rawIDToken, rawClaims, func(token *jwt.Token) (interface{}, error) { + return []byte(`xxxxxxx`), nil + }, jwt.WithoutClaimsValidation()) + if err != nil { + return nil, err + } + rawClaims.Issuer = "https://example.com/fedcm" + + if err = rawClaims.Claims.Validate(); err != nil { + return nil, err + } + + return &rawClaims.Claims, nil +} diff --git a/selfservice/strategy/oidc/provider_test_fedcm_test.go b/selfservice/strategy/oidc/provider_test_fedcm_test.go new file mode 100644 index 000000000000..715441d29dff --- /dev/null +++ b/selfservice/strategy/oidc/provider_test_fedcm_test.go @@ -0,0 +1,26 @@ +// Copyright © 2025 Ory Corp +// SPDX-License-Identifier: Apache-2.0 + +package oidc_test + +import ( + "context" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/ory/kratos/internal" + "github.com/ory/kratos/selfservice/strategy/oidc" +) + +func TestFedcmTestProvider(t *testing.T) { + _, reg := internal.NewVeryFastRegistryWithoutDB(t) + + p := oidc.NewProviderTestFedcm(&oidc.Configuration{}, reg) + + rawToken := `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI1NWVlMjgxNC02ZTQ4LTRmZTktYWIzNS1mM2QxYzczM2I3ZTciLCJub25jZSI6ImVkOWM0ZDcyMDZkMDc1YTg4NjY0ZmE3YjMwY2Q5ZGE2NGU4ZTkwMjY5MGJhZmI2YjNmMmY2OWU5YzU1ZGUyNTcwOTFlYTk3ZTFiZTFiYjdiNDZmMjJjYzY0ZSIsImV4cCI6MTczNzU1ODM4MTk3MSwiaWF0IjoxNzM3NDcxOTgxOTcxLCJlbWFpbCI6InhweGN3dnU1YjRuemZvdGZAZXhhbXBsZS5jb20iLCJuYW1lIjoiVXNlciBOYW1lIiwicGljdHVyZSI6Imh0dHBzOi8vYXBpLmRpY2ViZWFyLmNvbS83LngvYm90dHRzL3BuZz9zZWVkPSUyNDJiJTI0MTAlMjR5WEs3eWozNEg4SkhCNm8zOG1sc2xlYzl1WkozZ2F2UGlDaFdaeFFIbnk3VkFKRlouS3RGZSJ9.GnSP_x8J_yS5wrTwtB6B-BydYYljrpVjQjS2vZ5D8Hg` + + claims, err := p.(oidc.IDTokenVerifier).Verify(context.Background(), rawToken) + require.NoError(t, err) + require.NotNil(t, claims) +} diff --git a/selfservice/strategy/oidc/strategy.go b/selfservice/strategy/oidc/strategy.go index f04f06d35899..cc7900b2d1b2 100644 --- a/selfservice/strategy/oidc/strategy.go +++ b/selfservice/strategy/oidc/strategy.go @@ -402,22 +402,22 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt req, state, cntnr, err := s.ValidateCallback(w, r, ps) if err != nil { if req != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) } else { - s.d.SelfServiceErrorManager().Forward(ctx, w, r, s.handleError(ctx, w, r, nil, "", nil, err)) + s.d.SelfServiceErrorManager().Forward(ctx, w, r, s.HandleError(ctx, w, r, nil, "", nil, err)) } return } if authenticated, err := s.alreadyAuthenticated(ctx, w, r, req); err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) } else if authenticated { return } - provider, err := s.provider(ctx, state.ProviderId) + provider, err := s.Provider(ctx, state.ProviderId) if err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } @@ -427,37 +427,37 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt case OAuth2Provider: token, err := s.exchangeCode(ctx, p, code, PKCEVerifier(state)) if err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } et, err = s.encryptOAuth2Tokens(ctx, token) if err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } claims, err = p.Claims(ctx, token, r.URL.Query()) if err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } case OAuth1Provider: token, err := p.ExchangeToken(ctx, r) if err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } claims, err = p.Claims(ctx, token) if err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } } if err = claims.Validate(); err != nil { - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, err)) return } @@ -467,15 +467,15 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt case *login.Flow: a.Active = s.ID() a.TransientPayload = cntnr.TransientPayload - if ff, err := s.processLogin(ctx, w, r, a, et, claims, provider, cntnr); err != nil { + if ff, err := s.ProcessLogin(ctx, w, r, a, et, claims, provider, cntnr); err != nil { if errors.Is(err, flow.ErrCompletedByStrategy) { return } if ff != nil { - s.forwardError(ctx, w, r, ff, err) + s.ForwardError(ctx, w, r, ff, err) return } - s.forwardError(ctx, w, r, a, err) + s.ForwardError(ctx, w, r, a, err) } return case *registration.Flow: @@ -483,10 +483,10 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt a.TransientPayload = cntnr.TransientPayload if ff, err := s.processRegistration(ctx, w, r, a, et, claims, provider, cntnr); err != nil { if ff != nil { - s.forwardError(ctx, w, r, ff, err) + s.ForwardError(ctx, w, r, ff, err) return } - s.forwardError(ctx, w, r, a, err) + s.ForwardError(ctx, w, r, a, err) } return case *settings.Flow: @@ -494,16 +494,16 @@ func (s *Strategy) HandleCallback(w http.ResponseWriter, r *http.Request, ps htt a.TransientPayload = cntnr.TransientPayload sess, err := s.d.SessionManager().FetchFromRequest(ctx, r) if err != nil { - s.forwardError(ctx, w, r, a, s.handleError(ctx, w, r, a, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, a, s.HandleError(ctx, w, r, a, state.ProviderId, nil, err)) return } if err := s.linkProvider(ctx, w, r, &settings.UpdateContext{Session: sess, Flow: a}, et, claims, provider); err != nil { - s.forwardError(ctx, w, r, a, s.handleError(ctx, w, r, a, state.ProviderId, nil, err)) + s.ForwardError(ctx, w, r, a, s.HandleError(ctx, w, r, a, state.ProviderId, nil, err)) return } return default: - s.forwardError(ctx, w, r, req, s.handleError(ctx, w, r, req, state.ProviderId, nil, errors.WithStack(x.PseudoPanic. + s.ForwardError(ctx, w, r, req, s.HandleError(ctx, w, r, req, state.ProviderId, nil, errors.WithStack(x.PseudoPanic. WithDetailf("cause", "Unexpected type in OpenID Connect flow: %T", a)))) return } @@ -555,7 +555,7 @@ func (s *Strategy) Config(ctx context.Context) (*ConfigurationCollection, error) return &c, nil } -func (s *Strategy) provider(ctx context.Context, id string) (Provider, error) { +func (s *Strategy) Provider(ctx context.Context, id string) (Provider, error) { if c, err := s.Config(ctx); err != nil { return nil, err } else if provider, err := c.Provider(id, s.d); err != nil { @@ -565,7 +565,7 @@ func (s *Strategy) provider(ctx context.Context, id string) (Provider, error) { } } -func (s *Strategy) forwardError(ctx context.Context, w http.ResponseWriter, r *http.Request, f flow.Flow, err error) { +func (s *Strategy) ForwardError(ctx context.Context, w http.ResponseWriter, r *http.Request, f flow.Flow, err error) { switch ff := f.(type) { case *login.Flow: s.d.LoginFlowErrorHandler().WriteFlowError(w, r, ff, s.NodeGroup(), err) @@ -582,7 +582,7 @@ func (s *Strategy) forwardError(ctx context.Context, w http.ResponseWriter, r *h } } -func (s *Strategy) handleError(ctx context.Context, w http.ResponseWriter, r *http.Request, f flow.Flow, usedProviderID string, traits []byte, err error) error { +func (s *Strategy) HandleError(ctx context.Context, w http.ResponseWriter, r *http.Request, f flow.Flow, usedProviderID string, traits []byte, err error) error { switch rf := f.(type) { case *login.Flow: return err @@ -664,7 +664,7 @@ func (s *Strategy) handleError(ctx context.Context, w http.ResponseWriter, r *ht func (s *Strategy) populateAccountLinkingUI(ctx context.Context, lf *login.Flow, usedProviderID string, duplicateIdentifier string, availableCredentials []string, availableProviders []string) { newLoginURL := s.d.Config().SelfServiceFlowLoginUI(ctx).String() usedProviderLabel := usedProviderID - provider, _ := s.provider(ctx, usedProviderID) + provider, _ := s.Provider(ctx, usedProviderID) if provider != nil && provider.Config() != nil { usedProviderLabel = provider.Config().Label if usedProviderLabel == "" { @@ -680,13 +680,13 @@ func (s *Strategy) populateAccountLinkingUI(ctx context.Context, lf *login.Flow, continue } - // Skip the provider that was used to get here (in case they used an OIDC provider) + // Skip the Provider that was used to get here (in case they used an OIDC Provider) pID := gjson.GetBytes(n.Meta.Label.Context, "provider_id").String() if n.Group == node.OpenIDConnectGroup { if pID == usedProviderID { continue } - // Hide any provider that is not available for the user + // Hide any Provider that is not available for the user if loginHintsEnabled && !slices.Contains(availableProviders, pID) { continue } @@ -697,7 +697,7 @@ func (s *Strategy) populateAccountLinkingUI(ctx context.Context, lf *login.Flow, case text.InfoSelfServiceLogin: n.Meta.Label = text.NewInfoLoginAndLink() case text.InfoSelfServiceLoginWith: - p := gjson.GetBytes(n.Meta.Label.Context, "provider").String() + p := gjson.GetBytes(n.Meta.Label.Context, "Provider").String() n.Meta.Label = text.NewInfoLoginWithAndLink(p) } @@ -742,18 +742,18 @@ func (s *Strategy) CompletedAuthenticationMethod(ctx context.Context) session.Au } } -func (s *Strategy) processIDToken(r *http.Request, provider Provider, idToken, idTokenNonce string) (*Claims, error) { +func (s *Strategy) ProcessIDToken(r *http.Request, provider Provider, idToken, idTokenNonce string) (*Claims, error) { verifier, ok := provider.(IDTokenVerifier) if !ok { - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The provider %s does not support id_token verification", provider.Config().Provider)) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The Provider %s does not support id_token verification", provider.Config().Provider)) } claims, err := verifier.Verify(r.Context(), idToken) if err != nil { - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Could not verify id_token").WithError(err.Error())) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("Could not verify id_token").WithError(err.Error())) } if err := claims.Validate(); err != nil { - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The id_token claims were invalid").WithError(err.Error())) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The id_token claims were invalid").WithError(err.Error())) } // First check if the JWT contains the nonce claim. @@ -761,17 +761,17 @@ func (s *Strategy) processIDToken(r *http.Request, provider Provider, idToken, i // If it doesn't, check if the provider supports nonces. if nonceSkipper, ok := verifier.(NonceValidationSkipper); !ok || !nonceSkipper.CanSkipNonce(claims) { // If the provider supports nonces, abort the flow! - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was included in the id_token but is required by the provider")) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was included in the id_token but is required by the Provider")) } // If the provider does not support nonces, we don't do validation and return the claim. // This case only applies to Apple, as some of their devices do not support nonces. // https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple } else if idTokenNonce == "" { // A nonce was present in the JWT token, but no nonce was submitted in the flow - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("No nonce was provided but is required by the provider")) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was provided but is required by the Provider")) } else if idTokenNonce != claims.Nonce { // The nonce from the JWT token does not match the nonce from the flow. - return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("The supplied nonce does not match the nonce from the id_token")) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The supplied nonce does not match the nonce from the id_token")) } // Nonce checking was successful @@ -780,7 +780,7 @@ func (s *Strategy) processIDToken(r *http.Request, provider Provider, idToken, i func (s *Strategy) linkCredentials(ctx context.Context, i *identity.Identity, tokens *identity.CredentialsOIDCEncryptedTokens, provider, subject, organization string) (err error) { ctx, span := s.d.Tracer(ctx).Tracer().Start(ctx, "strategy.oidc.linkCredentials", trace.WithAttributes( - attribute.String("provider", provider), + attribute.String("Provider", provider), // attribute.String("subject", subject), // PII attribute.String("organization", organization))) defer otelx.End(span, &err) diff --git a/selfservice/strategy/oidc/strategy_login.go b/selfservice/strategy/oidc/strategy_login.go index 392009ec2241..fa1c1c2b63cb 100644 --- a/selfservice/strategy/oidc/strategy_login.go +++ b/selfservice/strategy/oidc/strategy_login.go @@ -98,7 +98,7 @@ type UpdateLoginFlowWithOidcMethod struct { TransientPayload json.RawMessage `json:"transient_payload,omitempty" form:"transient_payload"` } -func (s *Strategy) processLogin(ctx context.Context, w http.ResponseWriter, r *http.Request, loginFlow *login.Flow, token *identity.CredentialsOIDCEncryptedTokens, claims *Claims, provider Provider, container *AuthCodeContainer) (_ *registration.Flow, err error) { +func (s *Strategy) ProcessLogin(ctx context.Context, w http.ResponseWriter, r *http.Request, loginFlow *login.Flow, token *identity.CredentialsOIDCEncryptedTokens, claims *Claims, provider Provider, container *AuthCodeContainer) (_ *registration.Flow, err error) { ctx, span := s.d.Tracer(ctx).Tracer().Start(ctx, "selfservice.strategy.oidc.Strategy.processLogin") defer otelx.End(span, &err) @@ -133,12 +133,12 @@ func (s *Strategy) processLogin(ctx context.Context, w http.ResponseWriter, r *h registrationFlow, err := s.d.RegistrationHandler().NewRegistrationFlow(w, r, loginFlow.Type, opts...) if err != nil { - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) } err = s.d.SessionTokenExchangePersister().MoveToNewFlow(ctx, loginFlow.ID, registrationFlow.ID) if err != nil { - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) } registrationFlow.OrganizationID = loginFlow.OrganizationID @@ -149,7 +149,7 @@ func (s *Strategy) processLogin(ctx context.Context, w http.ResponseWriter, r *h registrationFlow.Active = s.ID() if err != nil { - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) } if _, err := s.processRegistration(ctx, w, r, registrationFlow, token, claims, provider, container); err != nil { @@ -159,12 +159,12 @@ func (s *Strategy) processLogin(ctx context.Context, w http.ResponseWriter, r *h return nil, nil } - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) } var oidcCredentials identity.CredentialsOIDC if err := json.NewDecoder(bytes.NewBuffer(c.Config)).Decode(&oidcCredentials); err != nil { - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("The password credentials could not be decoded properly").WithDebug(err.Error()))) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("The password credentials could not be decoded properly").WithDebug(err.Error()))) } sess := session.NewInactiveSession() @@ -173,13 +173,13 @@ func (s *Strategy) processLogin(ctx context.Context, w http.ResponseWriter, r *h for _, c := range oidcCredentials.Providers { if c.Subject == claims.Subject && c.Provider == provider.Config().ID { if err = s.d.LoginHookExecutor().PostLoginHook(w, r, node.OpenIDConnectGroup, loginFlow, i, sess, provider.Config().ID); err != nil { - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err) } return nil, nil } } - return nil, s.handleError(ctx, w, r, loginFlow, provider.Config().ID, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Unable to find matching OpenID Connect Credentials.").WithDebugf(`Unable to find credentials that match the given provider "%s" and subject "%s".`, provider.Config().ID, claims.Subject))) + return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Unable to find matching OpenID Connect Credentials.").WithDebugf(`Unable to find credentials that match the given Provider "%s" and subject "%s".`, provider.Config().ID, claims.Subject))) } func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, _ *session.Session) (i *identity.Identity, err error) { @@ -193,7 +193,7 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, var p UpdateLoginFlowWithOidcMethod if err := s.newLinkDecoder(ctx, &p, r); err != nil { - return nil, s.handleError(ctx, w, r, f, "", nil, err) + return nil, s.HandleError(ctx, w, r, f, "", nil, err) } f.IDToken = p.IDToken @@ -218,43 +218,43 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, } if err := flow.MethodEnabledAndAllowed(ctx, f.GetFlowName(), s.SettingsStrategyID(), s.SettingsStrategyID(), s.d); err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, s.handleMethodNotAllowedError(err)) + return nil, s.HandleError(ctx, w, r, f, pid, nil, s.handleMethodNotAllowedError(err)) } - provider, err := s.provider(ctx, pid) + provider, err := s.Provider(ctx, pid) if err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } req, err := s.validateFlow(ctx, r, f.ID) if err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } if authenticated, err := s.alreadyAuthenticated(ctx, w, r, req); err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } else if authenticated { return i, nil } if p.IDToken != "" { - claims, err := s.processIDToken(r, provider, p.IDToken, p.IDTokenNonce) + claims, err := s.ProcessIDToken(r, provider, p.IDToken, p.IDTokenNonce) if err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } - _, err = s.processLogin(ctx, w, r, f, nil, claims, provider, &AuthCodeContainer{ + _, err = s.ProcessLogin(ctx, w, r, f, nil, claims, provider, &AuthCodeContainer{ FlowID: f.ID.String(), Traits: p.Traits, }) if err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } return nil, errors.WithStack(flow.ErrCompletedByStrategy) } state, pkce, err := s.GenerateState(ctx, provider, f.ID) if err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } if err := s.d.ContinuityManager().Pause(ctx, w, r, sessionName, continuity.WithPayload(&AuthCodeContainer{ @@ -264,12 +264,12 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, TransientPayload: f.TransientPayload, }), continuity.WithLifespan(time.Minute*30)); err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } f.Active = s.ID() if err = s.d.LoginFlowPersister().UpdateLoginFlow(ctx, f); err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Could not update flow").WithDebug(err.Error()))) + return nil, s.HandleError(ctx, w, r, f, pid, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Could not update flow").WithDebug(err.Error()))) } var up map[string]string @@ -279,7 +279,7 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, codeURL, err := getAuthRedirectURL(ctx, provider, f, state, up, pkce) if err != nil { - return nil, s.handleError(ctx, w, r, f, pid, nil, err) + return nil, s.HandleError(ctx, w, r, f, pid, nil, err) } if x.IsJSONRequest(r) { diff --git a/selfservice/strategy/oidc/strategy_registration.go b/selfservice/strategy/oidc/strategy_registration.go index 5ed061119e7b..58bef664c4b0 100644 --- a/selfservice/strategy/oidc/strategy_registration.go +++ b/selfservice/strategy/oidc/strategy_registration.go @@ -156,7 +156,7 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat var p UpdateRegistrationFlowWithOidcMethod if err := s.newLinkDecoder(ctx, &p, r); err != nil { - return s.handleError(ctx, w, r, f, "", nil, err) + return s.HandleError(ctx, w, r, f, "", nil, err) } pid := p.Provider // this can come from both url query and post body @@ -181,29 +181,29 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat } if err := flow.MethodEnabledAndAllowed(ctx, f.GetFlowName(), s.SettingsStrategyID(), s.SettingsStrategyID(), s.d); err != nil { - return s.handleError(ctx, w, r, f, pid, nil, s.handleMethodNotAllowedError(err)) + return s.HandleError(ctx, w, r, f, pid, nil, s.handleMethodNotAllowedError(err)) } - provider, err := s.provider(ctx, pid) + provider, err := s.Provider(ctx, pid) if err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } req, err := s.validateFlow(ctx, r, f.ID) if err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } if authenticated, err := s.alreadyAuthenticated(ctx, w, r, req); err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } else if authenticated { return errors.WithStack(registration.ErrAlreadyLoggedIn) } if p.IDToken != "" { - claims, err := s.processIDToken(r, provider, p.IDToken, p.IDTokenNonce) + claims, err := s.ProcessIDToken(r, provider, p.IDToken, p.IDTokenNonce) if err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } _, err = s.processRegistration(ctx, w, r, f, nil, claims, provider, &AuthCodeContainer{ FlowID: f.ID.String(), @@ -211,14 +211,14 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat TransientPayload: f.TransientPayload, }) if err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } return errors.WithStack(flow.ErrCompletedByStrategy) } state, pkce, err := s.GenerateState(ctx, provider, f.ID) if err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } if err := s.d.ContinuityManager().Pause(ctx, w, r, sessionName, continuity.WithPayload(&AuthCodeContainer{ @@ -228,7 +228,7 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat TransientPayload: f.TransientPayload, }), continuity.WithLifespan(time.Minute*30)); err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } var up map[string]string @@ -238,7 +238,7 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat codeURL, err := getAuthRedirectURL(ctx, provider, f, state, up, pkce) if err != nil { - return s.handleError(ctx, w, r, f, pid, nil, err) + return s.HandleError(ctx, w, r, f, pid, nil, err) } if x.IsJSONRequest(r) { s.d.Writer().WriteError(w, r, flow.NewBrowserLocationChangeRequiredError(codeURL)) @@ -297,17 +297,17 @@ func (s *Strategy) processRegistration(ctx context.Context, w http.ResponseWrite // not need additional consent/login. // This is kinda hacky but the only way to ensure seamless login/registration flows when using OIDC. - s.d.Logger().WithRequest(r).WithField("provider", provider.Config().ID). + s.d.Logger().WithRequest(r).WithField("Provider", provider.Config().ID). WithField("subject", claims.Subject). Debug("Received successful OpenID Connect callback but user is already registered. Re-initializing login flow now.") lf, err := s.registrationToLogin(ctx, w, r, rf) if err != nil { - return nil, s.handleError(ctx, w, r, rf, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, nil, err) } - if _, err := s.processLogin(ctx, w, r, lf, token, claims, provider, container); err != nil { - return lf, s.handleError(ctx, w, r, rf, provider.Config().ID, nil, err) + if _, err := s.ProcessLogin(ctx, w, r, lf, token, claims, provider, container); err != nil { + return lf, s.HandleError(ctx, w, r, rf, provider.Config().ID, nil, err) } return nil, nil @@ -316,17 +316,17 @@ func (s *Strategy) processRegistration(ctx context.Context, w http.ResponseWrite fetch := fetcher.NewFetcher(fetcher.WithClient(s.d.HTTPClient(ctx)), fetcher.WithCache(jsonnetCache, 60*time.Minute)) jsonnetMapperSnippet, err := fetch.FetchContext(ctx, provider.Config().Mapper) if err != nil { - return nil, s.handleError(ctx, w, r, rf, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, nil, err) } i, va, err := s.createIdentity(ctx, w, r, rf, claims, provider, container, jsonnetMapperSnippet.Bytes()) if err != nil { - return nil, s.handleError(ctx, w, r, rf, provider.Config().ID, nil, err) + return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, nil, err) } // Validate the identity itself if err := s.d.IdentityValidator().Validate(ctx, i); err != nil { - return nil, s.handleError(ctx, w, r, rf, provider.Config().ID, i.Traits, err) + return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, i.Traits, err) } for n := range i.VerifiableAddresses { @@ -343,12 +343,12 @@ func (s *Strategy) processRegistration(ctx context.Context, w http.ResponseWrite creds, err := identity.NewCredentialsOIDC(token, provider.Config().ID, claims.Subject, provider.Config().OrganizationID) if err != nil { - return nil, s.handleError(ctx, w, r, rf, provider.Config().ID, i.Traits, err) + return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, i.Traits, err) } i.SetCredentials(s.ID(), *creds) if err := s.d.RegistrationExecutor().PostRegistrationHook(w, r, s.ID(), provider.Config().ID, provider.Config().OrganizationID, rf, i); err != nil { - return nil, s.handleError(ctx, w, r, rf, provider.Config().ID, i.Traits, err) + return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, i.Traits, err) } return nil, nil @@ -357,36 +357,36 @@ func (s *Strategy) processRegistration(ctx context.Context, w http.ResponseWrite func (s *Strategy) createIdentity(ctx context.Context, w http.ResponseWriter, r *http.Request, a *registration.Flow, claims *Claims, provider Provider, container *AuthCodeContainer, jsonnetSnippet []byte) (*identity.Identity, []VerifiedAddress, error) { var jsonClaims bytes.Buffer if err := json.NewEncoder(&jsonClaims).Encode(claims); err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, nil, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, nil, err) } vm, err := s.d.JsonnetVM(ctx) if err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, nil, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, nil, err) } vm.ExtCode("claims", jsonClaims.String()) evaluated, err := vm.EvaluateAnonymousSnippet(provider.Config().Mapper, string(jsonnetSnippet)) if err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, nil, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, nil, err) } i := identity.NewIdentity(s.d.Config().DefaultIdentityTraitsSchemaID(ctx)) if err := s.setTraits(ctx, w, r, a, provider, container, evaluated, i); err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) } if err := s.setMetadata(evaluated, i, PublicMetadata); err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) } if err := s.setMetadata(evaluated, i, AdminMetadata); err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) } va, err := s.extractVerifiedAddresses(evaluated) if err != nil { - return nil, nil, s.handleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) + return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, i.Traits, err) } if orgID, err := uuid.FromString(provider.Config().OrganizationID); err == nil { @@ -412,7 +412,7 @@ func (s *Strategy) setTraits(ctx context.Context, w http.ResponseWriter, r *http if container != nil { traits, err := merge(container.Traits, json.RawMessage(jsonTraits.Raw)) if err != nil { - return s.handleError(ctx, w, r, a, provider.Config().ID, nil, err) + return s.HandleError(ctx, w, r, a, provider.Config().ID, nil, err) } i.Traits = traits diff --git a/selfservice/strategy/oidc/strategy_settings.go b/selfservice/strategy/oidc/strategy_settings.go index fa82ab5a1499..cf76e9f2feb3 100644 --- a/selfservice/strategy/oidc/strategy_settings.go +++ b/selfservice/strategy/oidc/strategy_settings.go @@ -359,7 +359,7 @@ func (s *Strategy) initLinkProvider(ctx context.Context, w http.ResponseWriter, return s.handleSettingsError(ctx, w, r, ctxUpdate, p, errors.WithStack(settings.NewFlowNeedsReAuth())) } - provider, err := s.provider(ctx, p.Link) + provider, err := s.Provider(ctx, p.Link) if err != nil { return s.handleSettingsError(ctx, w, r, ctxUpdate, p, err) } diff --git a/selfservice/strategy/oidc/token_verifier.go b/selfservice/strategy/oidc/token_verifier.go index ce9cb8b3d3ee..42b16767a041 100644 --- a/selfservice/strategy/oidc/token_verifier.go +++ b/selfservice/strategy/oidc/token_verifier.go @@ -35,8 +35,19 @@ func verifyToken(ctx context.Context, keySet oidc.KeySet, config *Configuration, return nil, fmt.Errorf("token audience didn't match allowed audiences: %+v %w", tokenAudiences, err) } claims := &Claims{} + var rawClaims map[string]any + + if token == nil { + return nil, fmt.Errorf("token is nil") + } + if err := token.Claims(claims); err != nil { return nil, err } + if err = token.Claims(&rawClaims); err != nil { + return nil, err + } + claims.RawClaims = rawClaims + return claims, nil } diff --git a/spec/api.json b/spec/api.json index 6f31f07b7172..6de5bf4034f5 100644 --- a/spec/api.json +++ b/spec/api.json @@ -413,10 +413,57 @@ }, "type": "object" }, + "Provider": { + "properties": { + "client_id": { + "description": "The RP's client identifier, issued by the IdP.", + "type": "string" + }, + "config_url": { + "description": "A full path of the IdP config file.", + "type": "string" + }, + "domain_hint": { + "description": "By specifying one of domain_hints values provided by the accounts endpoints,\nthe FedCM dialog selectively shows the specified account.", + "type": "string" + }, + "fields": { + "description": "Array of strings that specifies the user information (\"name\", \" email\",\n\"picture\") that RP needs IdP to share with them.\n\nNote: Field API is supported by Chrome 132 and later.", + "items": { + "type": "string" + }, + "type": "array" + }, + "login_hint": { + "description": "By specifying one of login_hints values provided by the accounts endpoints,\nthe FedCM dialog selectively shows the specified account.", + "type": "string" + }, + "nonce": { + "description": "A random string to ensure the response is issued for this specific request.\nPrevents replay attacks.", + "type": "string" + }, + "parameters": { + "additionalProperties": { + "type": "string" + }, + "description": "Custom object that allows to specify additional key-value parameters:\nscope: A string value containing additional permissions that RP needs to\nrequest, for example \" drive.readonly calendar.readonly\"\nnonce: A random string to ensure the response is issued for this specific\nrequest. Prevents replay attacks.\n\nOther custom key-value parameters.\n\nNote: parameters is supported from Chrome 132.", + "type": "object" + } + }, + "type": "object" + }, "RecoveryAddressType": { "title": "RecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema.", "type": "string" }, + "SubmitFedcmTokenBody": { + "properties": { + "token": { + "type": "string" + } + }, + "type": "object" + }, "Time": { "format": "date-time", "type": "string" @@ -905,6 +952,22 @@ ], "type": "object" }, + "getParametersResponse": { + "description": "Contains a list of all available FedCM providers.", + "properties": { + "csrf_token": { + "type": "string" + }, + "providers": { + "items": { + "$ref": "#/components/schemas/Provider" + }, + "type": "array" + } + }, + "title": "GetParametersResponse", + "type": "object" + }, "healthNotReadyStatus": { "properties": { "errors": { @@ -2818,26 +2881,26 @@ "updateLoginFlowWithOidcMethod": { "description": "Update Login Flow with OpenID Connect Method", "properties": { + "Provider": { + "description": "The Provider to register with", + "type": "string" + }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, - "provider": { - "description": "The provider to register with", - "type": "string" - }, "traits": { "description": "The identity traits. This is a placeholder for the registration flow.", "type": "object" @@ -2847,12 +2910,12 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }, "required": [ - "provider", + "Provider", "method" ], "type": "object" @@ -3123,26 +3186,26 @@ "updateRegistrationFlowWithOidcMethod": { "description": "Update Registration Flow with OpenID Connect Method", "properties": { + "Provider": { + "description": "The Provider to register with", + "type": "string" + }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and is required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and is required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, - "provider": { - "description": "The provider to register with", - "type": "string" - }, "traits": { "description": "The identity traits", "type": "object" @@ -3152,12 +3215,12 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }, "required": [ - "provider", + "Provider", "method" ], "type": "object" @@ -3375,7 +3438,7 @@ "type": "string" }, "link": { - "description": "Link this provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", + "description": "Link this Provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", "type": "string" }, "method": { @@ -3391,11 +3454,11 @@ "type": "object" }, "unlink": { - "description": "Unlink this provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", + "description": "Unlink this Provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", "type": "string" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }, @@ -5484,6 +5547,129 @@ ] } }, + "/self-service/fed-cm/parameters": { + "get": { + "description": "This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network.", + "operationId": "getFedcmParameters", + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/getParametersResponse" + } + } + }, + "description": "getParametersResponse" + }, + "400": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + } + }, + "summary": "Get FedCM Parameters", + "tags": [ + "frontend" + ] + } + }, + "/self-service/fed-cm/token": { + "post": { + "description": "Use this endpoint to submit a token from a FedCM provider through\n`navigator.credentials.get` and log the user in. The parameters from\n`navigator.credentials.get` must have come from `GET\nself-service/fed-cm/parameters`.", + "operationId": "submitFedcmToken", + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/SubmitFedcmTokenBody" + } + }, + "application/x-www-form-urlencoded": { + "schema": { + "$ref": "#/components/schemas/SubmitFedcmTokenBody" + } + } + }, + "required": true, + "x-originalParamName": "Body" + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/successfulNativeLogin" + } + } + }, + "description": "successfulNativeLogin" + }, + "303": { + "$ref": "#/components/responses/emptyResponse" + }, + "400": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/loginFlow" + } + } + }, + "description": "loginFlow" + }, + "410": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + }, + "422": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorBrowserLocationChangeRequired" + } + } + }, + "description": "errorBrowserLocationChangeRequired" + }, + "default": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/errorGeneric" + } + } + }, + "description": "errorGeneric" + } + }, + "summary": "Submit a FedCM token", + "tags": [ + "frontend" + ] + } + }, "/self-service/login": { "post": { "description": "Use this endpoint to complete a login flow. This endpoint\nbehaves differently for API and browser flows.\n\nAPI flows expect `application/json` to be sent in the body and responds with\nHTTP 200 and a application/json body with the session token on success;\nHTTP 410 if the original flow expired with the appropriate error messages set and optionally a `use_flow_id` parameter in the body;\nHTTP 400 on form validation errors.\n\nBrowser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with\na HTTP 303 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;\na HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.\n\nBrowser flows with an accept header of `application/json` will not redirect but instead respond with\nHTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;\nHTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;\nHTTP 400 on form validation errors.\n\nIf this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n`browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.\nMost likely used in Social Sign In flows.\n\nMore information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).", diff --git a/spec/swagger.json b/spec/swagger.json index 38c8d2d8555e..6113dc160b65 100755 --- a/spec/swagger.json +++ b/spec/swagger.json @@ -1477,6 +1477,112 @@ } } }, + "/self-service/fed-cm/parameters": { + "get": { + "description": "This endpoint returns a list of all available FedCM providers. It is only supported on the Ory Network.", + "consumes": [ + "application/json" + ], + "produces": [ + "application/json" + ], + "schemes": [ + "http", + "https" + ], + "tags": [ + "frontend" + ], + "summary": "Get FedCM Parameters", + "operationId": "getFedcmParameters", + "responses": { + "200": { + "description": "getParametersResponse", + "schema": { + "$ref": "#/definitions/getParametersResponse" + } + }, + "400": { + "description": "errorGeneric", + "schema": { + "$ref": "#/definitions/errorGeneric" + } + }, + "default": { + "description": "errorGeneric", + "schema": { + "$ref": "#/definitions/errorGeneric" + } + } + } + } + }, + "/self-service/fed-cm/token": { + "post": { + "description": "Use this endpoint to submit a token from a FedCM provider through\n`navigator.credentials.get` and log the user in. The parameters from\n`navigator.credentials.get` must have come from `GET\nself-service/fed-cm/parameters`.", + "consumes": [ + "application/json", + "application/x-www-form-urlencoded" + ], + "produces": [ + "application/json" + ], + "schemes": [ + "http", + "https" + ], + "tags": [ + "frontend" + ], + "summary": "Submit a FedCM token", + "operationId": "submitFedcmToken", + "parameters": [ + { + "name": "Body", + "in": "body", + "required": true, + "schema": { + "$ref": "#/definitions/SubmitFedcmTokenBody" + } + } + ], + "responses": { + "200": { + "description": "successfulNativeLogin", + "schema": { + "$ref": "#/definitions/successfulNativeLogin" + } + }, + "303": { + "$ref": "#/responses/emptyResponse" + }, + "400": { + "description": "loginFlow", + "schema": { + "$ref": "#/definitions/loginFlow" + } + }, + "410": { + "description": "errorGeneric", + "schema": { + "$ref": "#/definitions/errorGeneric" + } + }, + "422": { + "description": "errorBrowserLocationChangeRequired", + "schema": { + "$ref": "#/definitions/errorBrowserLocationChangeRequired" + } + }, + "default": { + "description": "errorGeneric", + "schema": { + "$ref": "#/definitions/errorGeneric" + } + } + } + } + }, "/self-service/login": { "post": { "description": "Use this endpoint to complete a login flow. This endpoint\nbehaves differently for API and browser flows.\n\nAPI flows expect `application/json` to be sent in the body and responds with\nHTTP 200 and a application/json body with the session token on success;\nHTTP 410 if the original flow expired with the appropriate error messages set and optionally a `use_flow_id` parameter in the body;\nHTTP 400 on form validation errors.\n\nBrowser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with\na HTTP 303 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;\na HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.\n\nBrowser flows with an accept header of `application/json` will not redirect but instead respond with\nHTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;\nHTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;\nHTTP 400 on form validation errors.\n\nIf this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the\ncase of an error, the `error.id` of the JSON response body can be one of:\n\n`session_already_available`: The user is already signed in.\n`security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.\n`security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!\n`browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.\nMost likely used in Social Sign In flows.\n\nMore information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).", @@ -3610,10 +3716,57 @@ } } }, + "Provider": { + "type": "object", + "properties": { + "client_id": { + "description": "The RP's client identifier, issued by the IdP.", + "type": "string" + }, + "config_url": { + "description": "A full path of the IdP config file.", + "type": "string" + }, + "domain_hint": { + "description": "By specifying one of domain_hints values provided by the accounts endpoints,\nthe FedCM dialog selectively shows the specified account.", + "type": "string" + }, + "fields": { + "description": "Array of strings that specifies the user information (\"name\", \" email\",\n\"picture\") that RP needs IdP to share with them.\n\nNote: Field API is supported by Chrome 132 and later.", + "type": "array", + "items": { + "type": "string" + } + }, + "login_hint": { + "description": "By specifying one of login_hints values provided by the accounts endpoints,\nthe FedCM dialog selectively shows the specified account.", + "type": "string" + }, + "nonce": { + "description": "A random string to ensure the response is issued for this specific request.\nPrevents replay attacks.", + "type": "string" + }, + "parameters": { + "description": "Custom object that allows to specify additional key-value parameters:\nscope: A string value containing additional permissions that RP needs to\nrequest, for example \" drive.readonly calendar.readonly\"\nnonce: A random string to ensure the response is issued for this specific\nrequest. Prevents replay attacks.\n\nOther custom key-value parameters.\n\nNote: parameters is supported from Chrome 132.", + "type": "object", + "additionalProperties": { + "type": "string" + } + } + } + }, "RecoveryAddressType": { "type": "string", "title": "RecoveryAddressType must not exceed 16 characters as that is the limitation in the SQL Schema." }, + "SubmitFedcmTokenBody": { + "type": "object", + "properties": { + "token": { + "type": "string" + } + } + }, "UUID": {"type": "string", "format": "uuid4"}, "authenticatorAssuranceLevel": { "description": "The authenticator assurance level can be one of \"aal1\", \"aal2\", or \"aal3\". A higher number means that it is harder\nfor an attacker to compromise the account.\n\nGenerally, \"aal1\" implies that one authentication factor was used while AAL2 implies that two factors (e.g.\npassword + TOTP) have been used.\n\nTo learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials", @@ -4057,6 +4210,22 @@ } } }, + "getParametersResponse": { + "description": "Contains a list of all available FedCM providers.", + "type": "object", + "title": "GetParametersResponse", + "properties": { + "csrf_token": { + "type": "string" + }, + "providers": { + "type": "array", + "items": { + "$ref": "#/definitions/Provider" + } + } + } + }, "healthNotReadyStatus": { "type": "object", "title": "The not ready status of the service.", @@ -5865,30 +6034,30 @@ "description": "Update Login Flow with OpenID Connect Method", "type": "object", "required": [ - "provider", + "Provider", "method" ], "properties": { + "Provider": { + "description": "The Provider to register with", + "type": "string" + }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, - "provider": { - "description": "The provider to register with", - "type": "string" - }, "traits": { "description": "The identity traits. This is a placeholder for the registration flow.", "type": "object" @@ -5898,7 +6067,7 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } } @@ -6126,30 +6295,30 @@ "description": "Update Registration Flow with OpenID Connect Method", "type": "object", "required": [ - "provider", + "Provider", "method" ], "properties": { + "Provider": { + "description": "The Provider to register with", + "type": "string" + }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and is required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and is required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, - "provider": { - "description": "The provider to register with", - "type": "string" - }, "traits": { "description": "The identity traits", "type": "object" @@ -6159,7 +6328,7 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } } @@ -6347,7 +6516,7 @@ "type": "string" }, "link": { - "description": "Link this provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", + "description": "Link this Provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", "type": "string" }, "method": { @@ -6363,11 +6532,11 @@ "type": "object" }, "unlink": { - "description": "Unlink this provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", + "description": "Unlink this Provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", "type": "string" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } } diff --git a/x/router.go b/x/router.go index 6f4cb3609069..06c224c0a37f 100644 --- a/x/router.go +++ b/x/router.go @@ -105,3 +105,8 @@ func (r *RouterAdmin) Handler(method, publicPath string, handler http.Handler) { func (r *RouterAdmin) Lookup(method, publicPath string) { r.Router.Lookup(method, path.Join(AdminPrefix, publicPath)) } + +type HandlerRegistrar interface { + RegisterPublicRoutes(public *RouterPublic) + RegisterAdminRoutes(admin *RouterAdmin) +} From 326b00dd309e37520fb0dc9c70fdee6bb8a08277 Mon Sep 17 00:00:00 2001 From: Henning Perl Date: Fri, 24 Jan 2025 11:54:25 +0100 Subject: [PATCH 2/2] code review --- embedx/config.schema.json | 2 +- internal/client-go/.openapi-generator/FILES | 4 +- internal/client-go/README.md | 2 +- internal/client-go/api_frontend.go | 12 +- internal/client-go/go.sum | 2 - ...> model_get_fed_cm_parameters_response.go} | 54 ++++----- .../model_submit_fedcm_token_body.go | 112 ++++++++++++++++++ ...odel_update_login_flow_with_oidc_method.go | 68 +++++------ ...date_registration_flow_with_oidc_method.go | 68 +++++------ ...l_update_settings_flow_with_oidc_method.go | 6 +- internal/httpclient/.openapi-generator/FILES | 4 +- internal/httpclient/README.md | 2 +- internal/httpclient/api_frontend.go | 12 +- ...> model_get_fed_cm_parameters_response.go} | 54 ++++----- .../model_submit_fedcm_token_body.go | 112 ++++++++++++++++++ ...odel_update_login_flow_with_oidc_method.go | 68 +++++------ ...date_registration_flow_with_oidc_method.go | 68 +++++------ ...l_update_settings_flow_with_oidc_method.go | 6 +- .../strategy/oidc/fedcm/definitions.go | 4 +- selfservice/strategy/oidc/pkce.go | 6 +- selfservice/strategy/oidc/strategy.go | 4 +- spec/api.json | 57 +++++---- spec/swagger.json | 57 +++++---- 23 files changed, 516 insertions(+), 268 deletions(-) rename internal/client-go/{model_get_parameters_response.go => model_get_fed_cm_parameters_response.go} (59%) rename internal/httpclient/{model_get_parameters_response.go => model_get_fed_cm_parameters_response.go} (59%) diff --git a/embedx/config.schema.json b/embedx/config.schema.json index d9bb0173605e..ad4db74df0e9 100644 --- a/embedx/config.schema.json +++ b/embedx/config.schema.json @@ -582,7 +582,7 @@ }, "fedcm_config_url": { "title": "Federation Configuration URL", - "description": "The URL where the FedCM IdP configuration is located for the provider.", + "description": "The URL where the FedCM IdP configuration is located for the provider. This is only effective in the Ory Network.", "type": "string", "format": "uri", "examples": ["https://example.com/config.json"] diff --git a/internal/client-go/.openapi-generator/FILES b/internal/client-go/.openapi-generator/FILES index eef4b6b4dfe9..304b5b327fb8 100644 --- a/internal/client-go/.openapi-generator/FILES +++ b/internal/client-go/.openapi-generator/FILES @@ -35,7 +35,7 @@ docs/ErrorGeneric.md docs/FlowError.md docs/FrontendAPI.md docs/GenericError.md -docs/GetParametersResponse.md +docs/GetFedCmParametersResponse.md docs/GetVersion200Response.md docs/HealthNotReadyStatus.md docs/HealthStatus.md @@ -163,7 +163,7 @@ model_error_flow_replaced.go model_error_generic.go model_flow_error.go model_generic_error.go -model_get_parameters_response.go +model_get_fed_cm_parameters_response.go model_get_version_200_response.go model_health_not_ready_status.go model_health_status.go diff --git a/internal/client-go/README.md b/internal/client-go/README.md index 76576250b664..e9657b0432f8 100644 --- a/internal/client-go/README.md +++ b/internal/client-go/README.md @@ -162,7 +162,7 @@ Class | Method | HTTP request | Description - [ErrorGeneric](docs/ErrorGeneric.md) - [FlowError](docs/FlowError.md) - [GenericError](docs/GenericError.md) - - [GetParametersResponse](docs/GetParametersResponse.md) + - [GetFedCmParametersResponse](docs/GetFedCmParametersResponse.md) - [GetVersion200Response](docs/GetVersion200Response.md) - [HealthNotReadyStatus](docs/HealthNotReadyStatus.md) - [HealthStatus](docs/HealthStatus.md) diff --git a/internal/client-go/api_frontend.go b/internal/client-go/api_frontend.go index 2faad9a5bd32..97f0ca8b82c7 100644 --- a/internal/client-go/api_frontend.go +++ b/internal/client-go/api_frontend.go @@ -404,9 +404,9 @@ type FrontendAPI interface { /* * GetFedcmParametersExecute executes the request - * @return GetParametersResponse + * @return GetFedCmParametersResponse */ - GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) + GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetFedCmParametersResponse, *http.Response, error) /* * GetFlowError Get User-Flow Errors @@ -3140,7 +3140,7 @@ type FrontendAPIApiGetFedcmParametersRequest struct { ApiService FrontendAPI } -func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetParametersResponse, *http.Response, error) { +func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetFedCmParametersResponse, *http.Response, error) { return r.ApiService.GetFedcmParametersExecute(r) } @@ -3159,16 +3159,16 @@ func (a *FrontendAPIService) GetFedcmParameters(ctx context.Context) FrontendAPI /* * Execute executes the request - * @return GetParametersResponse + * @return GetFedCmParametersResponse */ -func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) { +func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetFedCmParametersResponse, *http.Response, error) { var ( localVarHTTPMethod = http.MethodGet localVarPostBody interface{} localVarFormFileName string localVarFileName string localVarFileBytes []byte - localVarReturnValue *GetParametersResponse + localVarReturnValue *GetFedCmParametersResponse ) localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.GetFedcmParameters") diff --git a/internal/client-go/go.sum b/internal/client-go/go.sum index 734252e68153..c966c8ddfd0d 100644 --- a/internal/client-go/go.sum +++ b/internal/client-go/go.sum @@ -4,8 +4,6 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/internal/client-go/model_get_parameters_response.go b/internal/client-go/model_get_fed_cm_parameters_response.go similarity index 59% rename from internal/client-go/model_get_parameters_response.go rename to internal/client-go/model_get_fed_cm_parameters_response.go index 17616c790407..1563b7e2cee2 100644 --- a/internal/client-go/model_get_parameters_response.go +++ b/internal/client-go/model_get_fed_cm_parameters_response.go @@ -15,31 +15,31 @@ import ( "encoding/json" ) -// GetParametersResponse Contains a list of all available FedCM providers. -type GetParametersResponse struct { +// GetFedCmParametersResponse Contains a list of all available FedCM providers. +type GetFedCmParametersResponse struct { CsrfToken *string `json:"csrf_token,omitempty"` Providers []Provider `json:"providers,omitempty"` } -// NewGetParametersResponse instantiates a new GetParametersResponse object +// NewGetFedCmParametersResponse instantiates a new GetFedCmParametersResponse object // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewGetParametersResponse() *GetParametersResponse { - this := GetParametersResponse{} +func NewGetFedCmParametersResponse() *GetFedCmParametersResponse { + this := GetFedCmParametersResponse{} return &this } -// NewGetParametersResponseWithDefaults instantiates a new GetParametersResponse object +// NewGetFedCmParametersResponseWithDefaults instantiates a new GetFedCmParametersResponse object // This constructor will only assign default values to properties that have it defined, // but it doesn't guarantee that properties required by API are set -func NewGetParametersResponseWithDefaults() *GetParametersResponse { - this := GetParametersResponse{} +func NewGetFedCmParametersResponseWithDefaults() *GetFedCmParametersResponse { + this := GetFedCmParametersResponse{} return &this } // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. -func (o *GetParametersResponse) GetCsrfToken() string { +func (o *GetFedCmParametersResponse) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { var ret string return ret @@ -49,7 +49,7 @@ func (o *GetParametersResponse) GetCsrfToken() string { // GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *GetParametersResponse) GetCsrfTokenOk() (*string, bool) { +func (o *GetFedCmParametersResponse) GetCsrfTokenOk() (*string, bool) { if o == nil || o.CsrfToken == nil { return nil, false } @@ -57,7 +57,7 @@ func (o *GetParametersResponse) GetCsrfTokenOk() (*string, bool) { } // HasCsrfToken returns a boolean if a field has been set. -func (o *GetParametersResponse) HasCsrfToken() bool { +func (o *GetFedCmParametersResponse) HasCsrfToken() bool { if o != nil && o.CsrfToken != nil { return true } @@ -66,12 +66,12 @@ func (o *GetParametersResponse) HasCsrfToken() bool { } // SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. -func (o *GetParametersResponse) SetCsrfToken(v string) { +func (o *GetFedCmParametersResponse) SetCsrfToken(v string) { o.CsrfToken = &v } // GetProviders returns the Providers field value if set, zero value otherwise. -func (o *GetParametersResponse) GetProviders() []Provider { +func (o *GetFedCmParametersResponse) GetProviders() []Provider { if o == nil || o.Providers == nil { var ret []Provider return ret @@ -81,7 +81,7 @@ func (o *GetParametersResponse) GetProviders() []Provider { // GetProvidersOk returns a tuple with the Providers field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *GetParametersResponse) GetProvidersOk() ([]Provider, bool) { +func (o *GetFedCmParametersResponse) GetProvidersOk() ([]Provider, bool) { if o == nil || o.Providers == nil { return nil, false } @@ -89,7 +89,7 @@ func (o *GetParametersResponse) GetProvidersOk() ([]Provider, bool) { } // HasProviders returns a boolean if a field has been set. -func (o *GetParametersResponse) HasProviders() bool { +func (o *GetFedCmParametersResponse) HasProviders() bool { if o != nil && o.Providers != nil { return true } @@ -98,11 +98,11 @@ func (o *GetParametersResponse) HasProviders() bool { } // SetProviders gets a reference to the given []Provider and assigns it to the Providers field. -func (o *GetParametersResponse) SetProviders(v []Provider) { +func (o *GetFedCmParametersResponse) SetProviders(v []Provider) { o.Providers = v } -func (o GetParametersResponse) MarshalJSON() ([]byte, error) { +func (o GetFedCmParametersResponse) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken @@ -113,38 +113,38 @@ func (o GetParametersResponse) MarshalJSON() ([]byte, error) { return json.Marshal(toSerialize) } -type NullableGetParametersResponse struct { - value *GetParametersResponse +type NullableGetFedCmParametersResponse struct { + value *GetFedCmParametersResponse isSet bool } -func (v NullableGetParametersResponse) Get() *GetParametersResponse { +func (v NullableGetFedCmParametersResponse) Get() *GetFedCmParametersResponse { return v.value } -func (v *NullableGetParametersResponse) Set(val *GetParametersResponse) { +func (v *NullableGetFedCmParametersResponse) Set(val *GetFedCmParametersResponse) { v.value = val v.isSet = true } -func (v NullableGetParametersResponse) IsSet() bool { +func (v NullableGetFedCmParametersResponse) IsSet() bool { return v.isSet } -func (v *NullableGetParametersResponse) Unset() { +func (v *NullableGetFedCmParametersResponse) Unset() { v.value = nil v.isSet = false } -func NewNullableGetParametersResponse(val *GetParametersResponse) *NullableGetParametersResponse { - return &NullableGetParametersResponse{value: val, isSet: true} +func NewNullableGetFedCmParametersResponse(val *GetFedCmParametersResponse) *NullableGetFedCmParametersResponse { + return &NullableGetFedCmParametersResponse{value: val, isSet: true} } -func (v NullableGetParametersResponse) MarshalJSON() ([]byte, error) { +func (v NullableGetFedCmParametersResponse) MarshalJSON() ([]byte, error) { return json.Marshal(v.value) } -func (v *NullableGetParametersResponse) UnmarshalJSON(src []byte) error { +func (v *NullableGetFedCmParametersResponse) UnmarshalJSON(src []byte) error { v.isSet = true return json.Unmarshal(src, &v.value) } diff --git a/internal/client-go/model_submit_fedcm_token_body.go b/internal/client-go/model_submit_fedcm_token_body.go index 8b2fbc54c70f..3c9c060b6d25 100644 --- a/internal/client-go/model_submit_fedcm_token_body.go +++ b/internal/client-go/model_submit_fedcm_token_body.go @@ -17,6 +17,13 @@ import ( // SubmitFedcmTokenBody struct for SubmitFedcmTokenBody type SubmitFedcmTokenBody struct { + // CSRFToken is the anti-CSRF token. + CsrfToken *string `json:"csrf_token,omitempty"` + // Nonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. + Nonce *string `json:"nonce,omitempty"` + // The provider to log in with. + Provider *string `json:"provider,omitempty"` + // Token contains the result of `navigator.credentials.get`. Token *string `json:"token,omitempty"` } @@ -37,6 +44,102 @@ func NewSubmitFedcmTokenBodyWithDefaults() *SubmitFedcmTokenBody { return &this } +// GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetCsrfToken() string { + if o == nil || o.CsrfToken == nil { + var ret string + return ret + } + return *o.CsrfToken +} + +// GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetCsrfTokenOk() (*string, bool) { + if o == nil || o.CsrfToken == nil { + return nil, false + } + return o.CsrfToken, true +} + +// HasCsrfToken returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasCsrfToken() bool { + if o != nil && o.CsrfToken != nil { + return true + } + + return false +} + +// SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. +func (o *SubmitFedcmTokenBody) SetCsrfToken(v string) { + o.CsrfToken = &v +} + +// GetNonce returns the Nonce field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetNonce() string { + if o == nil || o.Nonce == nil { + var ret string + return ret + } + return *o.Nonce +} + +// GetNonceOk returns a tuple with the Nonce field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetNonceOk() (*string, bool) { + if o == nil || o.Nonce == nil { + return nil, false + } + return o.Nonce, true +} + +// HasNonce returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasNonce() bool { + if o != nil && o.Nonce != nil { + return true + } + + return false +} + +// SetNonce gets a reference to the given string and assigns it to the Nonce field. +func (o *SubmitFedcmTokenBody) SetNonce(v string) { + o.Nonce = &v +} + +// GetProvider returns the Provider field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetProvider() string { + if o == nil || o.Provider == nil { + var ret string + return ret + } + return *o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetProviderOk() (*string, bool) { + if o == nil || o.Provider == nil { + return nil, false + } + return o.Provider, true +} + +// HasProvider returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasProvider() bool { + if o != nil && o.Provider != nil { + return true + } + + return false +} + +// SetProvider gets a reference to the given string and assigns it to the Provider field. +func (o *SubmitFedcmTokenBody) SetProvider(v string) { + o.Provider = &v +} + // GetToken returns the Token field value if set, zero value otherwise. func (o *SubmitFedcmTokenBody) GetToken() string { if o == nil || o.Token == nil { @@ -71,6 +174,15 @@ func (o *SubmitFedcmTokenBody) SetToken(v string) { func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} + if o.CsrfToken != nil { + toSerialize["csrf_token"] = o.CsrfToken + } + if o.Nonce != nil { + toSerialize["nonce"] = o.Nonce + } + if o.Provider != nil { + toSerialize["provider"] = o.Provider + } if o.Token != nil { toSerialize["token"] = o.Token } diff --git a/internal/client-go/model_update_login_flow_with_oidc_method.go b/internal/client-go/model_update_login_flow_with_oidc_method.go index c7ebbec5e248..cdd5c665bdc5 100644 --- a/internal/client-go/model_update_login_flow_with_oidc_method.go +++ b/internal/client-go/model_update_login_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateLoginFlowWithOidcMethod Update Login Flow with OpenID Connect Method type UpdateLoginFlowWithOidcMethod struct { - // The Provider to register with - Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` + // The provider to register with + Provider string `json:"provider"` // The identity traits. This is a placeholder for the registration flow. Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateLoginFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateLoginFlowWithOidcMethod(provider string, method string) *UpdateLoginFlowWithOidcMethod { +func NewUpdateLoginFlowWithOidcMethod(method string, provider string) *UpdateLoginFlowWithOidcMethod { this := UpdateLoginFlowWithOidcMethod{} - this.Provider = provider this.Method = method + this.Provider = provider return &this } @@ -54,30 +54,6 @@ func NewUpdateLoginFlowWithOidcMethodWithDefaults() *UpdateLoginFlowWithOidcMeth return &this } -// GetProvider returns the Provider field value -func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -198,6 +174,30 @@ func (o *UpdateLoginFlowWithOidcMethod) SetMethod(v string) { o.Method = v } +// GetProvider returns the Provider field value +func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,9 +296,6 @@ func (o *UpdateLoginFlowWithOidcMethod) SetUpstreamParameters(v map[string]inter func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} - if true { - toSerialize["Provider"] = o.Provider - } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -311,6 +308,9 @@ func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } + if true { + toSerialize["provider"] = o.Provider + } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/client-go/model_update_registration_flow_with_oidc_method.go b/internal/client-go/model_update_registration_flow_with_oidc_method.go index d96f8bb21777..2ee32605fee6 100644 --- a/internal/client-go/model_update_registration_flow_with_oidc_method.go +++ b/internal/client-go/model_update_registration_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateRegistrationFlowWithOidcMethod Update Registration Flow with OpenID Connect Method type UpdateRegistrationFlowWithOidcMethod struct { - // The Provider to register with - Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and is required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and is required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` + // The provider to register with + Provider string `json:"provider"` // The identity traits Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateRegistrationFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateRegistrationFlowWithOidcMethod(provider string, method string) *UpdateRegistrationFlowWithOidcMethod { +func NewUpdateRegistrationFlowWithOidcMethod(method string, provider string) *UpdateRegistrationFlowWithOidcMethod { this := UpdateRegistrationFlowWithOidcMethod{} - this.Provider = provider this.Method = method + this.Provider = provider return &this } @@ -54,30 +54,6 @@ func NewUpdateRegistrationFlowWithOidcMethodWithDefaults() *UpdateRegistrationFl return &this } -// GetProvider returns the Provider field value -func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -198,6 +174,30 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetMethod(v string) { o.Method = v } +// GetProvider returns the Provider field value +func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,9 +296,6 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetUpstreamParameters(v map[strin func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} - if true { - toSerialize["Provider"] = o.Provider - } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -311,6 +308,9 @@ func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } + if true { + toSerialize["provider"] = o.Provider + } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/client-go/model_update_settings_flow_with_oidc_method.go b/internal/client-go/model_update_settings_flow_with_oidc_method.go index 6a1650c5c317..c54a0d1251f3 100644 --- a/internal/client-go/model_update_settings_flow_with_oidc_method.go +++ b/internal/client-go/model_update_settings_flow_with_oidc_method.go @@ -19,7 +19,7 @@ import ( type UpdateSettingsFlowWithOidcMethod struct { // Flow ID is the flow's ID. in: query Flow *string `json:"flow,omitempty"` - // Link this Provider Either this or `unlink` must be set. type: string in: body + // Link this provider Either this or `unlink` must be set. type: string in: body Link *string `json:"link,omitempty"` // Method Should be set to profile when trying to update a profile. Method string `json:"method"` @@ -27,9 +27,9 @@ type UpdateSettingsFlowWithOidcMethod struct { Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // Unlink this Provider Either this or `link` must be set. type: string in: body + // Unlink this provider Either this or `link` must be set. type: string in: body Unlink *string `json:"unlink,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } diff --git a/internal/httpclient/.openapi-generator/FILES b/internal/httpclient/.openapi-generator/FILES index eef4b6b4dfe9..304b5b327fb8 100644 --- a/internal/httpclient/.openapi-generator/FILES +++ b/internal/httpclient/.openapi-generator/FILES @@ -35,7 +35,7 @@ docs/ErrorGeneric.md docs/FlowError.md docs/FrontendAPI.md docs/GenericError.md -docs/GetParametersResponse.md +docs/GetFedCmParametersResponse.md docs/GetVersion200Response.md docs/HealthNotReadyStatus.md docs/HealthStatus.md @@ -163,7 +163,7 @@ model_error_flow_replaced.go model_error_generic.go model_flow_error.go model_generic_error.go -model_get_parameters_response.go +model_get_fed_cm_parameters_response.go model_get_version_200_response.go model_health_not_ready_status.go model_health_status.go diff --git a/internal/httpclient/README.md b/internal/httpclient/README.md index 76576250b664..e9657b0432f8 100644 --- a/internal/httpclient/README.md +++ b/internal/httpclient/README.md @@ -162,7 +162,7 @@ Class | Method | HTTP request | Description - [ErrorGeneric](docs/ErrorGeneric.md) - [FlowError](docs/FlowError.md) - [GenericError](docs/GenericError.md) - - [GetParametersResponse](docs/GetParametersResponse.md) + - [GetFedCmParametersResponse](docs/GetFedCmParametersResponse.md) - [GetVersion200Response](docs/GetVersion200Response.md) - [HealthNotReadyStatus](docs/HealthNotReadyStatus.md) - [HealthStatus](docs/HealthStatus.md) diff --git a/internal/httpclient/api_frontend.go b/internal/httpclient/api_frontend.go index 2faad9a5bd32..97f0ca8b82c7 100644 --- a/internal/httpclient/api_frontend.go +++ b/internal/httpclient/api_frontend.go @@ -404,9 +404,9 @@ type FrontendAPI interface { /* * GetFedcmParametersExecute executes the request - * @return GetParametersResponse + * @return GetFedCmParametersResponse */ - GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) + GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetFedCmParametersResponse, *http.Response, error) /* * GetFlowError Get User-Flow Errors @@ -3140,7 +3140,7 @@ type FrontendAPIApiGetFedcmParametersRequest struct { ApiService FrontendAPI } -func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetParametersResponse, *http.Response, error) { +func (r FrontendAPIApiGetFedcmParametersRequest) Execute() (*GetFedCmParametersResponse, *http.Response, error) { return r.ApiService.GetFedcmParametersExecute(r) } @@ -3159,16 +3159,16 @@ func (a *FrontendAPIService) GetFedcmParameters(ctx context.Context) FrontendAPI /* * Execute executes the request - * @return GetParametersResponse + * @return GetFedCmParametersResponse */ -func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetParametersResponse, *http.Response, error) { +func (a *FrontendAPIService) GetFedcmParametersExecute(r FrontendAPIApiGetFedcmParametersRequest) (*GetFedCmParametersResponse, *http.Response, error) { var ( localVarHTTPMethod = http.MethodGet localVarPostBody interface{} localVarFormFileName string localVarFileName string localVarFileBytes []byte - localVarReturnValue *GetParametersResponse + localVarReturnValue *GetFedCmParametersResponse ) localBasePath, err := a.client.cfg.ServerURLWithContext(r.ctx, "FrontendAPIService.GetFedcmParameters") diff --git a/internal/httpclient/model_get_parameters_response.go b/internal/httpclient/model_get_fed_cm_parameters_response.go similarity index 59% rename from internal/httpclient/model_get_parameters_response.go rename to internal/httpclient/model_get_fed_cm_parameters_response.go index 17616c790407..1563b7e2cee2 100644 --- a/internal/httpclient/model_get_parameters_response.go +++ b/internal/httpclient/model_get_fed_cm_parameters_response.go @@ -15,31 +15,31 @@ import ( "encoding/json" ) -// GetParametersResponse Contains a list of all available FedCM providers. -type GetParametersResponse struct { +// GetFedCmParametersResponse Contains a list of all available FedCM providers. +type GetFedCmParametersResponse struct { CsrfToken *string `json:"csrf_token,omitempty"` Providers []Provider `json:"providers,omitempty"` } -// NewGetParametersResponse instantiates a new GetParametersResponse object +// NewGetFedCmParametersResponse instantiates a new GetFedCmParametersResponse object // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewGetParametersResponse() *GetParametersResponse { - this := GetParametersResponse{} +func NewGetFedCmParametersResponse() *GetFedCmParametersResponse { + this := GetFedCmParametersResponse{} return &this } -// NewGetParametersResponseWithDefaults instantiates a new GetParametersResponse object +// NewGetFedCmParametersResponseWithDefaults instantiates a new GetFedCmParametersResponse object // This constructor will only assign default values to properties that have it defined, // but it doesn't guarantee that properties required by API are set -func NewGetParametersResponseWithDefaults() *GetParametersResponse { - this := GetParametersResponse{} +func NewGetFedCmParametersResponseWithDefaults() *GetFedCmParametersResponse { + this := GetFedCmParametersResponse{} return &this } // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. -func (o *GetParametersResponse) GetCsrfToken() string { +func (o *GetFedCmParametersResponse) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { var ret string return ret @@ -49,7 +49,7 @@ func (o *GetParametersResponse) GetCsrfToken() string { // GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *GetParametersResponse) GetCsrfTokenOk() (*string, bool) { +func (o *GetFedCmParametersResponse) GetCsrfTokenOk() (*string, bool) { if o == nil || o.CsrfToken == nil { return nil, false } @@ -57,7 +57,7 @@ func (o *GetParametersResponse) GetCsrfTokenOk() (*string, bool) { } // HasCsrfToken returns a boolean if a field has been set. -func (o *GetParametersResponse) HasCsrfToken() bool { +func (o *GetFedCmParametersResponse) HasCsrfToken() bool { if o != nil && o.CsrfToken != nil { return true } @@ -66,12 +66,12 @@ func (o *GetParametersResponse) HasCsrfToken() bool { } // SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. -func (o *GetParametersResponse) SetCsrfToken(v string) { +func (o *GetFedCmParametersResponse) SetCsrfToken(v string) { o.CsrfToken = &v } // GetProviders returns the Providers field value if set, zero value otherwise. -func (o *GetParametersResponse) GetProviders() []Provider { +func (o *GetFedCmParametersResponse) GetProviders() []Provider { if o == nil || o.Providers == nil { var ret []Provider return ret @@ -81,7 +81,7 @@ func (o *GetParametersResponse) GetProviders() []Provider { // GetProvidersOk returns a tuple with the Providers field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *GetParametersResponse) GetProvidersOk() ([]Provider, bool) { +func (o *GetFedCmParametersResponse) GetProvidersOk() ([]Provider, bool) { if o == nil || o.Providers == nil { return nil, false } @@ -89,7 +89,7 @@ func (o *GetParametersResponse) GetProvidersOk() ([]Provider, bool) { } // HasProviders returns a boolean if a field has been set. -func (o *GetParametersResponse) HasProviders() bool { +func (o *GetFedCmParametersResponse) HasProviders() bool { if o != nil && o.Providers != nil { return true } @@ -98,11 +98,11 @@ func (o *GetParametersResponse) HasProviders() bool { } // SetProviders gets a reference to the given []Provider and assigns it to the Providers field. -func (o *GetParametersResponse) SetProviders(v []Provider) { +func (o *GetFedCmParametersResponse) SetProviders(v []Provider) { o.Providers = v } -func (o GetParametersResponse) MarshalJSON() ([]byte, error) { +func (o GetFedCmParametersResponse) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken @@ -113,38 +113,38 @@ func (o GetParametersResponse) MarshalJSON() ([]byte, error) { return json.Marshal(toSerialize) } -type NullableGetParametersResponse struct { - value *GetParametersResponse +type NullableGetFedCmParametersResponse struct { + value *GetFedCmParametersResponse isSet bool } -func (v NullableGetParametersResponse) Get() *GetParametersResponse { +func (v NullableGetFedCmParametersResponse) Get() *GetFedCmParametersResponse { return v.value } -func (v *NullableGetParametersResponse) Set(val *GetParametersResponse) { +func (v *NullableGetFedCmParametersResponse) Set(val *GetFedCmParametersResponse) { v.value = val v.isSet = true } -func (v NullableGetParametersResponse) IsSet() bool { +func (v NullableGetFedCmParametersResponse) IsSet() bool { return v.isSet } -func (v *NullableGetParametersResponse) Unset() { +func (v *NullableGetFedCmParametersResponse) Unset() { v.value = nil v.isSet = false } -func NewNullableGetParametersResponse(val *GetParametersResponse) *NullableGetParametersResponse { - return &NullableGetParametersResponse{value: val, isSet: true} +func NewNullableGetFedCmParametersResponse(val *GetFedCmParametersResponse) *NullableGetFedCmParametersResponse { + return &NullableGetFedCmParametersResponse{value: val, isSet: true} } -func (v NullableGetParametersResponse) MarshalJSON() ([]byte, error) { +func (v NullableGetFedCmParametersResponse) MarshalJSON() ([]byte, error) { return json.Marshal(v.value) } -func (v *NullableGetParametersResponse) UnmarshalJSON(src []byte) error { +func (v *NullableGetFedCmParametersResponse) UnmarshalJSON(src []byte) error { v.isSet = true return json.Unmarshal(src, &v.value) } diff --git a/internal/httpclient/model_submit_fedcm_token_body.go b/internal/httpclient/model_submit_fedcm_token_body.go index 8b2fbc54c70f..3c9c060b6d25 100644 --- a/internal/httpclient/model_submit_fedcm_token_body.go +++ b/internal/httpclient/model_submit_fedcm_token_body.go @@ -17,6 +17,13 @@ import ( // SubmitFedcmTokenBody struct for SubmitFedcmTokenBody type SubmitFedcmTokenBody struct { + // CSRFToken is the anti-CSRF token. + CsrfToken *string `json:"csrf_token,omitempty"` + // Nonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. + Nonce *string `json:"nonce,omitempty"` + // The provider to log in with. + Provider *string `json:"provider,omitempty"` + // Token contains the result of `navigator.credentials.get`. Token *string `json:"token,omitempty"` } @@ -37,6 +44,102 @@ func NewSubmitFedcmTokenBodyWithDefaults() *SubmitFedcmTokenBody { return &this } +// GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetCsrfToken() string { + if o == nil || o.CsrfToken == nil { + var ret string + return ret + } + return *o.CsrfToken +} + +// GetCsrfTokenOk returns a tuple with the CsrfToken field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetCsrfTokenOk() (*string, bool) { + if o == nil || o.CsrfToken == nil { + return nil, false + } + return o.CsrfToken, true +} + +// HasCsrfToken returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasCsrfToken() bool { + if o != nil && o.CsrfToken != nil { + return true + } + + return false +} + +// SetCsrfToken gets a reference to the given string and assigns it to the CsrfToken field. +func (o *SubmitFedcmTokenBody) SetCsrfToken(v string) { + o.CsrfToken = &v +} + +// GetNonce returns the Nonce field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetNonce() string { + if o == nil || o.Nonce == nil { + var ret string + return ret + } + return *o.Nonce +} + +// GetNonceOk returns a tuple with the Nonce field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetNonceOk() (*string, bool) { + if o == nil || o.Nonce == nil { + return nil, false + } + return o.Nonce, true +} + +// HasNonce returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasNonce() bool { + if o != nil && o.Nonce != nil { + return true + } + + return false +} + +// SetNonce gets a reference to the given string and assigns it to the Nonce field. +func (o *SubmitFedcmTokenBody) SetNonce(v string) { + o.Nonce = &v +} + +// GetProvider returns the Provider field value if set, zero value otherwise. +func (o *SubmitFedcmTokenBody) GetProvider() string { + if o == nil || o.Provider == nil { + var ret string + return ret + } + return *o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SubmitFedcmTokenBody) GetProviderOk() (*string, bool) { + if o == nil || o.Provider == nil { + return nil, false + } + return o.Provider, true +} + +// HasProvider returns a boolean if a field has been set. +func (o *SubmitFedcmTokenBody) HasProvider() bool { + if o != nil && o.Provider != nil { + return true + } + + return false +} + +// SetProvider gets a reference to the given string and assigns it to the Provider field. +func (o *SubmitFedcmTokenBody) SetProvider(v string) { + o.Provider = &v +} + // GetToken returns the Token field value if set, zero value otherwise. func (o *SubmitFedcmTokenBody) GetToken() string { if o == nil || o.Token == nil { @@ -71,6 +174,15 @@ func (o *SubmitFedcmTokenBody) SetToken(v string) { func (o SubmitFedcmTokenBody) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} + if o.CsrfToken != nil { + toSerialize["csrf_token"] = o.CsrfToken + } + if o.Nonce != nil { + toSerialize["nonce"] = o.Nonce + } + if o.Provider != nil { + toSerialize["provider"] = o.Provider + } if o.Token != nil { toSerialize["token"] = o.Token } diff --git a/internal/httpclient/model_update_login_flow_with_oidc_method.go b/internal/httpclient/model_update_login_flow_with_oidc_method.go index c7ebbec5e248..cdd5c665bdc5 100644 --- a/internal/httpclient/model_update_login_flow_with_oidc_method.go +++ b/internal/httpclient/model_update_login_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateLoginFlowWithOidcMethod Update Login Flow with OpenID Connect Method type UpdateLoginFlowWithOidcMethod struct { - // The Provider to register with - Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` + // The provider to register with + Provider string `json:"provider"` // The identity traits. This is a placeholder for the registration flow. Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateLoginFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateLoginFlowWithOidcMethod(provider string, method string) *UpdateLoginFlowWithOidcMethod { +func NewUpdateLoginFlowWithOidcMethod(method string, provider string) *UpdateLoginFlowWithOidcMethod { this := UpdateLoginFlowWithOidcMethod{} - this.Provider = provider this.Method = method + this.Provider = provider return &this } @@ -54,30 +54,6 @@ func NewUpdateLoginFlowWithOidcMethodWithDefaults() *UpdateLoginFlowWithOidcMeth return &this } -// GetProvider returns the Provider field value -func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -198,6 +174,30 @@ func (o *UpdateLoginFlowWithOidcMethod) SetMethod(v string) { o.Method = v } +// GetProvider returns the Provider field value +func (o *UpdateLoginFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateLoginFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateLoginFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateLoginFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,9 +296,6 @@ func (o *UpdateLoginFlowWithOidcMethod) SetUpstreamParameters(v map[string]inter func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} - if true { - toSerialize["Provider"] = o.Provider - } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -311,6 +308,9 @@ func (o UpdateLoginFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } + if true { + toSerialize["provider"] = o.Provider + } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/httpclient/model_update_registration_flow_with_oidc_method.go b/internal/httpclient/model_update_registration_flow_with_oidc_method.go index d96f8bb21777..2ee32605fee6 100644 --- a/internal/httpclient/model_update_registration_flow_with_oidc_method.go +++ b/internal/httpclient/model_update_registration_flow_with_oidc_method.go @@ -17,21 +17,21 @@ import ( // UpdateRegistrationFlowWithOidcMethod Update Registration Flow with OpenID Connect Method type UpdateRegistrationFlowWithOidcMethod struct { - // The Provider to register with - Provider string `json:"Provider"` // The CSRF Token CsrfToken *string `json:"csrf_token,omitempty"` - // IDToken is an optional id token provided by an OIDC Provider If submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google + // IDToken is an optional id token provided by an OIDC provider If submitted, it is verified using the OIDC provider's public key set and the claims are used to populate the OIDC credentials of the identity. If the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use the `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken. Supported providers are Apple Google IdToken *string `json:"id_token,omitempty"` - // IDTokenNonce is the nonce, used when generating the IDToken. If the Provider supports nonce validation, the nonce will be validated against this value and is required. + // IDTokenNonce is the nonce, used when generating the IDToken. If the provider supports nonce validation, the nonce will be validated against this value and is required. IdTokenNonce *string `json:"id_token_nonce,omitempty"` // Method to use This field must be set to `oidc` when using the oidc method. Method string `json:"method"` + // The provider to register with + Provider string `json:"provider"` // The identity traits Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } @@ -39,10 +39,10 @@ type UpdateRegistrationFlowWithOidcMethod struct { // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewUpdateRegistrationFlowWithOidcMethod(provider string, method string) *UpdateRegistrationFlowWithOidcMethod { +func NewUpdateRegistrationFlowWithOidcMethod(method string, provider string) *UpdateRegistrationFlowWithOidcMethod { this := UpdateRegistrationFlowWithOidcMethod{} - this.Provider = provider this.Method = method + this.Provider = provider return &this } @@ -54,30 +54,6 @@ func NewUpdateRegistrationFlowWithOidcMethodWithDefaults() *UpdateRegistrationFl return &this } -// GetProvider returns the Provider field value -func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { - if o == nil { - var ret string - return ret - } - - return o.Provider -} - -// GetProviderOk returns a tuple with the Provider field value -// and a boolean to check if the value has been set. -func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { - if o == nil { - return nil, false - } - return &o.Provider, true -} - -// SetProvider sets field value -func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { - o.Provider = v -} - // GetCsrfToken returns the CsrfToken field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetCsrfToken() string { if o == nil || o.CsrfToken == nil { @@ -198,6 +174,30 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetMethod(v string) { o.Method = v } +// GetProvider returns the Provider field value +func (o *UpdateRegistrationFlowWithOidcMethod) GetProvider() string { + if o == nil { + var ret string + return ret + } + + return o.Provider +} + +// GetProviderOk returns a tuple with the Provider field value +// and a boolean to check if the value has been set. +func (o *UpdateRegistrationFlowWithOidcMethod) GetProviderOk() (*string, bool) { + if o == nil { + return nil, false + } + return &o.Provider, true +} + +// SetProvider sets field value +func (o *UpdateRegistrationFlowWithOidcMethod) SetProvider(v string) { + o.Provider = v +} + // GetTraits returns the Traits field value if set, zero value otherwise. func (o *UpdateRegistrationFlowWithOidcMethod) GetTraits() map[string]interface{} { if o == nil || o.Traits == nil { @@ -296,9 +296,6 @@ func (o *UpdateRegistrationFlowWithOidcMethod) SetUpstreamParameters(v map[strin func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} - if true { - toSerialize["Provider"] = o.Provider - } if o.CsrfToken != nil { toSerialize["csrf_token"] = o.CsrfToken } @@ -311,6 +308,9 @@ func (o UpdateRegistrationFlowWithOidcMethod) MarshalJSON() ([]byte, error) { if true { toSerialize["method"] = o.Method } + if true { + toSerialize["provider"] = o.Provider + } if o.Traits != nil { toSerialize["traits"] = o.Traits } diff --git a/internal/httpclient/model_update_settings_flow_with_oidc_method.go b/internal/httpclient/model_update_settings_flow_with_oidc_method.go index 6a1650c5c317..c54a0d1251f3 100644 --- a/internal/httpclient/model_update_settings_flow_with_oidc_method.go +++ b/internal/httpclient/model_update_settings_flow_with_oidc_method.go @@ -19,7 +19,7 @@ import ( type UpdateSettingsFlowWithOidcMethod struct { // Flow ID is the flow's ID. in: query Flow *string `json:"flow,omitempty"` - // Link this Provider Either this or `unlink` must be set. type: string in: body + // Link this provider Either this or `unlink` must be set. type: string in: body Link *string `json:"link,omitempty"` // Method Should be set to profile when trying to update a profile. Method string `json:"method"` @@ -27,9 +27,9 @@ type UpdateSettingsFlowWithOidcMethod struct { Traits map[string]interface{} `json:"traits,omitempty"` // Transient data to pass along to any webhooks TransientPayload map[string]interface{} `json:"transient_payload,omitempty"` - // Unlink this Provider Either this or `link` must be set. type: string in: body + // Unlink this provider Either this or `link` must be set. type: string in: body Unlink *string `json:"unlink,omitempty"` - // UpstreamParameters are the parameters that are passed to the upstream identity Provider. These parameters are optional and depend on what the upstream identity Provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. + // UpstreamParameters are the parameters that are passed to the upstream identity provider. These parameters are optional and depend on what the upstream identity provider supports. Supported parameters are: `login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session. `hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`. `prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`. UpstreamParameters map[string]interface{} `json:"upstream_parameters,omitempty"` } diff --git a/selfservice/strategy/oidc/fedcm/definitions.go b/selfservice/strategy/oidc/fedcm/definitions.go index aa6a90ebe6e7..a21c14a7b0eb 100644 --- a/selfservice/strategy/oidc/fedcm/definitions.go +++ b/selfservice/strategy/oidc/fedcm/definitions.go @@ -44,7 +44,7 @@ type Provider struct { // // Contains a list of all available FedCM providers. // -// swagger:model getParametersResponse +// swagger:model getFedCmParametersResponse type GetParametersResponse struct { Providers []Provider `json:"providers"` CSRFToken string `json:"csrf_token"` @@ -65,7 +65,7 @@ type GetParametersResponse struct { // Schemes: http, https // // Responses: -// 200: getParametersResponse +// 200: getFedCmParametersResponse // 400: errorGeneric // default: errorGeneric diff --git a/selfservice/strategy/oidc/pkce.go b/selfservice/strategy/oidc/pkce.go index c14e3d3f01e2..2b397c8702b7 100644 --- a/selfservice/strategy/oidc/pkce.go +++ b/selfservice/strategy/oidc/pkce.go @@ -48,7 +48,7 @@ func maybePKCE(ctx context.Context, d pkceDependencies, _p Provider) (verifier s // autodiscover PKCE support pkceSupported, err := discoverPKCE(ctx, d, p) if err != nil { - d.Logger().WithError(err).Warnf("Failed to autodiscover PKCE support for Provider %q. Continuing without PKCE.", p.Config().ID) + d.Logger().WithError(err).Warnf("Failed to autodiscover PKCE support for provider %q. Continuing without PKCE.", p.Config().ID) return "" } if !pkceSupported { @@ -67,13 +67,13 @@ func discoverPKCE(ctx context.Context, d pkceDependencies, p OAuth2Provider) (pk ctx = gooidc.ClientContext(ctx, d.HTTPClient(ctx).HTTPClient) gp, err := gooidc.NewProvider(ctx, p.Config().IssuerURL) if err != nil { - return false, errors.Wrap(err, "failed to initialize Provider") + return false, errors.Wrap(err, "failed to initialize provider") } var claims struct { CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"` } if err := gp.Claims(&claims); err != nil { - return false, errors.Wrap(err, "failed to deserialize Provider claims") + return false, errors.Wrap(err, "failed to deserialize provider claims") } return slices.Contains(claims.CodeChallengeMethodsSupported, "S256"), nil } diff --git a/selfservice/strategy/oidc/strategy.go b/selfservice/strategy/oidc/strategy.go index cc7900b2d1b2..f63c8e5ded81 100644 --- a/selfservice/strategy/oidc/strategy.go +++ b/selfservice/strategy/oidc/strategy.go @@ -761,14 +761,14 @@ func (s *Strategy) ProcessIDToken(r *http.Request, provider Provider, idToken, i // If it doesn't, check if the provider supports nonces. if nonceSkipper, ok := verifier.(NonceValidationSkipper); !ok || !nonceSkipper.CanSkipNonce(claims) { // If the provider supports nonces, abort the flow! - return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was included in the id_token but is required by the Provider")) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was included in the id_token but is required by the provider")) } // If the provider does not support nonces, we don't do validation and return the claim. // This case only applies to Apple, as some of their devices do not support nonces. // https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple } else if idTokenNonce == "" { // A nonce was present in the JWT token, but no nonce was submitted in the flow - return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was provided but is required by the Provider")) + return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("No nonce was provided but is required by the provider")) } else if idTokenNonce != claims.Nonce { // The nonce from the JWT token does not match the nonce from the flow. return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("The supplied nonce does not match the nonce from the id_token")) diff --git a/spec/api.json b/spec/api.json index 6de5bf4034f5..15d1493fd609 100644 --- a/spec/api.json +++ b/spec/api.json @@ -458,7 +458,20 @@ }, "SubmitFedcmTokenBody": { "properties": { + "csrf_token": { + "description": "CSRFToken is the anti-CSRF token.", + "type": "string" + }, + "nonce": { + "description": "Nonce is the nonce, used when generating the IDToken. If the provider supports\nnonce validation, the nonce will be validated against this value and required.", + "type": "string" + }, + "provider": { + "description": "The provider to log in with.", + "type": "string" + }, "token": { + "description": "Token contains the result of `navigator.credentials.get`.", "type": "string" } }, @@ -952,7 +965,7 @@ ], "type": "object" }, - "getParametersResponse": { + "getFedCmParametersResponse": { "description": "Contains a list of all available FedCM providers.", "properties": { "csrf_token": { @@ -2881,26 +2894,26 @@ "updateLoginFlowWithOidcMethod": { "description": "Update Login Flow with OpenID Connect Method", "properties": { - "Provider": { - "description": "The Provider to register with", - "type": "string" - }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, + "provider": { + "description": "The provider to register with", + "type": "string" + }, "traits": { "description": "The identity traits. This is a placeholder for the registration flow.", "type": "object" @@ -2910,12 +2923,12 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }, "required": [ - "Provider", + "provider", "method" ], "type": "object" @@ -3186,26 +3199,26 @@ "updateRegistrationFlowWithOidcMethod": { "description": "Update Registration Flow with OpenID Connect Method", "properties": { - "Provider": { - "description": "The Provider to register with", - "type": "string" - }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and is required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and is required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, + "provider": { + "description": "The provider to register with", + "type": "string" + }, "traits": { "description": "The identity traits", "type": "object" @@ -3215,12 +3228,12 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }, "required": [ - "Provider", + "provider", "method" ], "type": "object" @@ -3438,7 +3451,7 @@ "type": "string" }, "link": { - "description": "Link this Provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", + "description": "Link this provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", "type": "string" }, "method": { @@ -3454,11 +3467,11 @@ "type": "object" }, "unlink": { - "description": "Unlink this Provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", + "description": "Unlink this provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", "type": "string" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }, @@ -5556,11 +5569,11 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/getParametersResponse" + "$ref": "#/components/schemas/getFedCmParametersResponse" } } }, - "description": "getParametersResponse" + "description": "getFedCmParametersResponse" }, "400": { "content": { diff --git a/spec/swagger.json b/spec/swagger.json index 6113dc160b65..43d0743cf342 100755 --- a/spec/swagger.json +++ b/spec/swagger.json @@ -1497,9 +1497,9 @@ "operationId": "getFedcmParameters", "responses": { "200": { - "description": "getParametersResponse", + "description": "getFedCmParametersResponse", "schema": { - "$ref": "#/definitions/getParametersResponse" + "$ref": "#/definitions/getFedCmParametersResponse" } }, "400": { @@ -3762,7 +3762,20 @@ "SubmitFedcmTokenBody": { "type": "object", "properties": { + "csrf_token": { + "description": "CSRFToken is the anti-CSRF token.", + "type": "string" + }, + "nonce": { + "description": "Nonce is the nonce, used when generating the IDToken. If the provider supports\nnonce validation, the nonce will be validated against this value and required.", + "type": "string" + }, + "provider": { + "description": "The provider to log in with.", + "type": "string" + }, "token": { + "description": "Token contains the result of `navigator.credentials.get`.", "type": "string" } } @@ -4210,7 +4223,7 @@ } } }, - "getParametersResponse": { + "getFedCmParametersResponse": { "description": "Contains a list of all available FedCM providers.", "type": "object", "title": "GetParametersResponse", @@ -6034,30 +6047,30 @@ "description": "Update Login Flow with OpenID Connect Method", "type": "object", "required": [ - "Provider", + "provider", "method" ], "properties": { - "Provider": { - "description": "The Provider to register with", - "type": "string" - }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, + "provider": { + "description": "The provider to register with", + "type": "string" + }, "traits": { "description": "The identity traits. This is a placeholder for the registration flow.", "type": "object" @@ -6067,7 +6080,7 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } } @@ -6295,30 +6308,30 @@ "description": "Update Registration Flow with OpenID Connect Method", "type": "object", "required": [ - "Provider", + "provider", "method" ], "properties": { - "Provider": { - "description": "The Provider to register with", - "type": "string" - }, "csrf_token": { "description": "The CSRF Token", "type": "string" }, "id_token": { - "description": "IDToken is an optional id token provided by an OIDC Provider\n\nIf submitted, it is verified using the OIDC Provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC Provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", + "description": "IDToken is an optional id token provided by an OIDC provider\n\nIf submitted, it is verified using the OIDC provider's public key set and the claims are used to populate\nthe OIDC credentials of the identity.\nIf the OIDC provider does not store additional claims (such as name, etc.) in the IDToken itself, you can use\nthe `traits` field to populate the identity's traits. Note, that Apple only includes the users email in the IDToken.\n\nSupported providers are\nApple\nGoogle", "type": "string" }, "id_token_nonce": { - "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the Provider supports nonce validation, the nonce will be validated against this value and is required.", + "description": "IDTokenNonce is the nonce, used when generating the IDToken.\nIf the provider supports nonce validation, the nonce will be validated against this value and is required.", "type": "string" }, "method": { "description": "Method to use\n\nThis field must be set to `oidc` when using the oidc method.", "type": "string" }, + "provider": { + "description": "The provider to register with", + "type": "string" + }, "traits": { "description": "The identity traits", "type": "object" @@ -6328,7 +6341,7 @@ "type": "object" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } } @@ -6516,7 +6529,7 @@ "type": "string" }, "link": { - "description": "Link this Provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", + "description": "Link this provider\n\nEither this or `unlink` must be set.\n\ntype: string\nin: body", "type": "string" }, "method": { @@ -6532,11 +6545,11 @@ "type": "object" }, "unlink": { - "description": "Unlink this Provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", + "description": "Unlink this provider\n\nEither this or `link` must be set.\n\ntype: string\nin: body", "type": "string" }, "upstream_parameters": { - "description": "UpstreamParameters are the parameters that are passed to the upstream identity Provider.\n\nThese parameters are optional and depend on what the upstream identity Provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", + "description": "UpstreamParameters are the parameters that are passed to the upstream identity provider.\n\nThese parameters are optional and depend on what the upstream identity provider supports.\nSupported parameters are:\n`login_hint` (string): The `login_hint` parameter suppresses the account chooser and either pre-fills the email box on the sign-in form, or selects the proper session.\n`hd` (string): The `hd` parameter limits the login/registration process to a Google Organization, e.g. `mycollege.edu`.\n`prompt` (string): The `prompt` specifies whether the Authorization Server prompts the End-User for reauthentication and consent, e.g. `select_account`.", "type": "object" } }