Merge pull request #304 from ory/master

pull[bot] · web-flow · commit 5db1fb74c0f2 · 2025-04-28T12:25:14.000Z
[pull] master from ory:master
diff --git a/consent/helper.go b/consent/helper.go
@@ -4,6 +4,9 @@
 package consent
 
 import (
+	"net/url"
+	"strings"
+
 	"github.com/ory/fosite"
 	"github.com/ory/hydra/v2/client"
 	"github.com/ory/hydra/v2/flow"
@@ -38,3 +41,18 @@ func matchScopes(scopeStrategy fosite.ScopeStrategy, previousConsent []flow.Acce
 
 	return nil
 }
+
+func caseInsensitiveFilterParam(q url.Values, key string) url.Values {
+	query := url.Values{}
+	key = strings.ToLower(key)
+	for k, vs := range q {
+		if key == strings.ToLower(k) {
+			query.Set(k, "****")
+		} else {
+			for _, v := range vs {
+				query.Add(k, v)
+			}
+		}
+	}
+	return query
+}
diff --git a/consent/helper_test.go b/consent/helper_test.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 	"time"
 
@@ -421,3 +422,42 @@ func TestCreateCsrfSession(t *testing.T) {
 		})
 	}
 }
+
+func TestCaseInsensitiveFilterParam(t *testing.T) {
+	for k, tc := range []struct {
+		requestedQuery string
+		key            string
+
+		expectedQuery url.Values
+	}{
+		{
+			requestedQuery: "key=value",
+			key:            "key2",
+			expectedQuery:  url.Values{"key": []string{"value"}},
+		},
+		{
+			requestedQuery: "KeY=value",
+			key:            "key",
+			expectedQuery:  url.Values{"KeY": []string{"****"}},
+		},
+		{
+			requestedQuery: "KeY=value",
+			key:            "kEy",
+			expectedQuery:  url.Values{"KeY": []string{"****"}},
+		},
+		{
+			requestedQuery: "key=value&KEY2=value2",
+			key:            "key2",
+			expectedQuery:  url.Values{"key": []string{"value"}, "KEY2": []string{"****"}},
+		},
+	} {
+		t.Run(fmt.Sprintf("case=%d", k), func(t *testing.T) {
+			query, err := url.ParseQuery(tc.requestedQuery)
+			assert.NoError(t, err)
+
+			q := caseInsensitiveFilterParam(query, tc.key)
+
+			assert.Equal(t, tc.expectedQuery, q)
+		})
+	}
+}
diff --git a/consent/strategy_default.go b/consent/strategy_default.go
@@ -1298,9 +1298,7 @@ func (s *DefaultStrategy) forwardDeviceRequest(ctx context.Context, w http.Respo
 	iu := s.getDeviceVerificationPath(ctx)
 	// We don't want the user_code persisted in the database
 	q := r.URL.Query()
-	if q.Has("user_code") {
-		q.Set("user_code", "****")
-	}
+	q = caseInsensitiveFilterParam(q, "user_code")
 	iu.RawQuery = q.Encode()
 
 	f, err := s.r.ConsentManager().CreateDeviceUserAuthRequest(
diff --git a/oauth2/.snapshots/TestHandlerOauthAuthorizationServer-hsm_enabled=false.json b/oauth2/.snapshots/TestHandlerOauthAuthorizationServer-hsm_enabled=false.json
@@ -0,0 +1,104 @@
+{
+  "authorization_endpoint": "http://hydra.localhost/oauth2/auth",
+  "backchannel_logout_session_supported": true,
+  "backchannel_logout_supported": true,
+  "claims_parameter_supported": false,
+  "claims_supported": [
+    "sub"
+  ],
+  "code_challenge_methods_supported": [
+    "plain",
+    "S256"
+  ],
+  "credentials_endpoint_draft_00": "http://hydra.localhost/credentials",
+  "credentials_supported_draft_00": [
+    {
+      "cryptographic_binding_methods_supported": [
+        "jwk"
+      ],
+      "cryptographic_suites_supported": [
+        "PS256",
+        "RS256",
+        "ES256",
+        "PS384",
+        "RS384",
+        "ES384",
+        "PS512",
+        "RS512",
+        "ES512",
+        "EdDSA"
+      ],
+      "format": "jwt_vc_json",
+      "types": [
+        "VerifiableCredential",
+        "UserInfoCredential"
+      ]
+    }
+  ],
+  "device_authorization_endpoint": "http://hydra.localhost/oauth2/device/auth",
+  "end_session_endpoint": "http://hydra.localhost/oauth2/sessions/logout",
+  "frontchannel_logout_session_supported": true,
+  "frontchannel_logout_supported": true,
+  "grant_types_supported": [
+    "authorization_code",
+    "implicit",
+    "client_credentials",
+    "refresh_token",
+    "urn:ietf:params:oauth:grant-type:device_code"
+  ],
+  "id_token_signed_response_alg": [
+    "RS256"
+  ],
+  "id_token_signing_alg_values_supported": [
+    "RS256"
+  ],
+  "issuer": "http://hydra.localhost",
+  "jwks_uri": "http://hydra.localhost/.well-known/jwks.json",
+  "registration_endpoint": "http://client-register/registration",
+  "request_object_signing_alg_values_supported": [
+    "none",
+    "RS256",
+    "ES256"
+  ],
+  "request_parameter_supported": true,
+  "request_uri_parameter_supported": true,
+  "require_request_uri_registration": true,
+  "response_modes_supported": [
+    "query",
+    "fragment",
+    "form_post"
+  ],
+  "response_types_supported": [
+    "code",
+    "code id_token",
+    "id_token",
+    "token id_token",
+    "token",
+    "token id_token code"
+  ],
+  "revocation_endpoint": "http://hydra.localhost/oauth2/revoke",
+  "scopes_supported": [
+    "offline_access",
+    "offline",
+    "openid"
+  ],
+  "subject_types_supported": [
+    "pairwise",
+    "public"
+  ],
+  "token_endpoint": "http://hydra.localhost/oauth2/token",
+  "token_endpoint_auth_methods_supported": [
+    "client_secret_post",
+    "client_secret_basic",
+    "private_key_jwt",
+    "none"
+  ],
+  "userinfo_endpoint": "/userinfo",
+  "userinfo_signed_response_alg": [
+    "RS256"
+  ],
+  "userinfo_signing_alg_values_supported": [
+    "none",
+    "RS256"
+  ]
+}
diff --git a/oauth2/.snapshots/TestHandlerOauthAuthorizationServer-hsm_enabled=true.json b/oauth2/.snapshots/TestHandlerOauthAuthorizationServer-hsm_enabled=true.json
@@ -0,0 +1,104 @@
+{
+  "authorization_endpoint": "http://hydra.localhost/oauth2/auth",
+  "backchannel_logout_session_supported": true,
+  "backchannel_logout_supported": true,
+  "claims_parameter_supported": false,
+  "claims_supported": [
+    "sub"
+  ],
+  "code_challenge_methods_supported": [
+    "plain",
+    "S256"
+  ],
+  "credentials_endpoint_draft_00": "http://hydra.localhost/credentials",
+  "credentials_supported_draft_00": [
+    {
+      "cryptographic_binding_methods_supported": [
+        "jwk"
+      ],
+      "cryptographic_suites_supported": [
+        "PS256",
+        "RS256",
+        "ES256",
+        "PS384",
+        "RS384",
+        "ES384",
+        "PS512",
+        "RS512",
+        "ES512",
+        "EdDSA"
+      ],
+      "format": "jwt_vc_json",
+      "types": [
+        "VerifiableCredential",
+        "UserInfoCredential"
+      ]
+    }
+  ],
+  "device_authorization_endpoint": "http://hydra.localhost/oauth2/device/auth",
+  "end_session_endpoint": "http://hydra.localhost/oauth2/sessions/logout",
+  "frontchannel_logout_session_supported": true,
+  "frontchannel_logout_supported": true,
+  "grant_types_supported": [
+    "authorization_code",
+    "implicit",
+    "client_credentials",
+    "refresh_token",
+    "urn:ietf:params:oauth:grant-type:device_code"
+  ],
+  "id_token_signed_response_alg": [
+    "RS256"
+  ],
+  "id_token_signing_alg_values_supported": [
+    "RS256"
+  ],
+  "issuer": "http://hydra.localhost",
+  "jwks_uri": "http://hydra.localhost/.well-known/jwks.json",
+  "registration_endpoint": "http://client-register/registration",
+  "request_object_signing_alg_values_supported": [
+    "none",
+    "RS256",
+    "ES256"
+  ],
+  "request_parameter_supported": true,
+  "request_uri_parameter_supported": true,
+  "require_request_uri_registration": true,
+  "response_modes_supported": [
+    "query",
+    "fragment",
+    "form_post"
+  ],
+  "response_types_supported": [
+    "code",
+    "code id_token",
+    "id_token",
+    "token id_token",
+    "token",
+    "token id_token code"
+  ],
+  "revocation_endpoint": "http://hydra.localhost/oauth2/revoke",
+  "scopes_supported": [
+    "offline_access",
+    "offline",
+    "openid"
+  ],
+  "subject_types_supported": [
+    "pairwise",
+    "public"
+  ],
+  "token_endpoint": "http://hydra.localhost/oauth2/token",
+  "token_endpoint_auth_methods_supported": [
+    "client_secret_post",
+    "client_secret_basic",
+    "private_key_jwt",
+    "none"
+  ],
+  "userinfo_endpoint": "/userinfo",
+  "userinfo_signed_response_alg": [
+    "RS256"
+  ],
+  "userinfo_signing_alg_values_supported": [
+    "none",
+    "RS256"
+  ]
+}
diff --git a/oauth2/handler.go b/oauth2/handler.go
@@ -58,10 +58,11 @@ const (
 	AuthPath                      = "/oauth2/auth"
 	LogoutPath                    = "/oauth2/sessions/logout"
 
-	VerifiableCredentialsPath = "/credentials"
-	UserinfoPath              = "/userinfo"
-	WellKnownPath             = "/.well-known/openid-configuration"
-	JWKPath                   = "/.well-known/jwks.json"
+	VerifiableCredentialsPath    = "/credentials"
+	UserinfoPath                 = "/userinfo"
+	WellKnownPath                = "/.well-known/openid-configuration"
+	OauthAuthorizationServerPath = "/.well-known/oauth-authorization-server"
+	JWKPath                      = "/.well-known/jwks.json"
 
 	// IntrospectPath points to the OAuth2 introspection endpoint.
 	IntrospectPath   = "/oauth2/introspect"
@@ -125,6 +126,8 @@ func (h *Handler) SetRoutes(admin *httprouterx.RouterAdmin, public *httprouterx.
 	public.Handler("POST", RevocationPath, corsMiddleware(http.HandlerFunc(h.revokeOAuth2Token)))
 	public.Handler("OPTIONS", WellKnownPath, corsMiddleware(http.HandlerFunc(h.handleOptions)))
 	public.Handler("GET", WellKnownPath, corsMiddleware(http.HandlerFunc(h.discoverOidcConfiguration)))
+	public.Handler("OPTIONS", OauthAuthorizationServerPath, corsMiddleware(http.HandlerFunc(h.handleOptions)))
+	public.Handler("GET", OauthAuthorizationServerPath, corsMiddleware(http.HandlerFunc(h.discoverOidcConfiguration)))
 	public.Handler("OPTIONS", UserinfoPath, corsMiddleware(http.HandlerFunc(h.handleOptions)))
 	public.Handler("GET", UserinfoPath, corsMiddleware(http.HandlerFunc(h.getOidcUserInfo)))
 	public.Handler("POST", UserinfoPath, corsMiddleware(http.HandlerFunc(h.getOidcUserInfo)))
diff --git a/oauth2/handler_test.go b/oauth2/handler_test.go
@@ -369,3 +369,35 @@ func TestHandlerWellKnown(t *testing.T) {
 		snapshotx.SnapshotT(t, wellKnownResp)
 	})
 }
+
+func TestHandlerOauthAuthorizationServer(t *testing.T) {
+	ctx := context.Background()
+	conf := testhelpers.NewConfigurationWithDefaults()
+	t.Run(fmt.Sprintf("hsm_enabled=%v", conf.HSMEnabled()), func(t *testing.T) {
+		conf.MustSet(ctx, config.KeyScopeStrategy, "DEPRECATED_HIERARCHICAL_SCOPE_STRATEGY")
+		conf.MustSet(ctx, config.KeyIssuerURL, "http://hydra.localhost")
+		conf.MustSet(ctx, config.KeySubjectTypesSupported, []string{"pairwise", "public"})
+		conf.MustSet(ctx, config.KeyOIDCDiscoverySupportedClaims, []string{"sub"})
+		conf.MustSet(ctx, config.KeyOAuth2ClientRegistrationURL, "http://client-register/registration")
+		conf.MustSet(ctx, config.KeyOIDCDiscoveryUserinfoEndpoint, "/userinfo")
+		reg := testhelpers.NewRegistryMemory(t, conf, &contextx.Default{})
+
+		h := oauth2.NewHandler(reg, conf)
+
+		r := x.NewRouterAdmin(conf.AdminURL)
+		h.SetRoutes(r, &httprouterx.RouterPublic{Router: r.Router}, func(h http.Handler) http.Handler {
+			return h
+		})
+		ts := httptest.NewServer(r)
+		defer ts.Close()
+
+		res, err := http.Get(ts.URL + "/.well-known/oauth-authorization-server")
+		require.NoError(t, err)
+		defer res.Body.Close()
+
+		var wellKnownResp hydra.OidcConfiguration
+		err = json.NewDecoder(res.Body).Decode(&wellKnownResp)
+		require.NoError(t, err, "problem decoding wellknown json response: %+v", err)
+		snapshotx.SnapshotT(t, wellKnownResp)
+	})
+}
