feat: add skip_logout_consent option to clients

Adds a special field which disables the logout consent screen when performing OIDC logout.

client/.snapshots/TestHandler-create_client_registration_tokens-case=0-dynamic=true.json

@@ -17,6 +17,7 @@
   "jwks": {},
   "metadata": {},
   "skip_consent": false,
+  "skip_logout_consent": null,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-create_client_registration_tokens-case=1-dynamic=false.json

@@ -17,6 +17,7 @@
   "jwks": {},
   "metadata": {},
   "skip_consent": false,
+  "skip_logout_consent": null,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/client.go

@@ -311,6 +311,10 @@ type Client struct {
 	// be set from the admin API.
 	SkipConsent bool `json:"skip_consent" db:"skip_consent" faker:"-"`
 
+	// SkipLogoutConsent skips the logout consent screen for this client. This field can only
+	// be set from the admin API.
+	SkipLogoutConsent sqlxx.NullBool `json:"skip_logout_consent" db:"skip_logout_consent" faker:"-"`
+
 	Lifespans
 }
 

client/handler_test.go

@@ -13,6 +13,8 @@ import (
 	"net/http/httptest"
 	"testing"
 
+	"github.com/ory/x/sqlxx"
+
 	"github.com/ory/x/httprouterx"
 
 	"github.com/tidwall/sjson"
@@ -347,11 +349,30 @@ func TestHandler(t *testing.T) {
 					statusCode: http.StatusBadRequest,
 				},
 				{
-					d: "setting skip_consent suceeds for admin registration",
+					d: "setting skip_consent succeeds for admin registration",
 					payload: &client.Client{
 						RedirectURIs: []string{"http://localhost:3000/cb"},
-						SkipConsent:  true,
 						Secret:       "2SKZkBf2P5g4toAXXnCrr~_sDM",
+						SkipConsent:  true,
+					},
+					path:       client.ClientsHandlerPath,
+					statusCode: http.StatusCreated,
+				},
+				{
+					d: "setting skip_logout_consent fails for dynamic registration",
+					payload: &client.Client{
+						RedirectURIs:      []string{"http://localhost:3000/cb"},
+						SkipLogoutConsent: sqlxx.NullBool{Bool: true, Valid: true},
+					},
+					path:       client.DynClientsHandlerPath,
+					statusCode: http.StatusBadRequest,
+				},
+				{
+					d: "setting skip_logout_consent succeeds for admin registration",
+					payload: &client.Client{
+						RedirectURIs:      []string{"http://localhost:3000/cb"},
+						SkipLogoutConsent: sqlxx.NullBool{Bool: true, Valid: true},
+						Secret:            "2SKZkBf2P5g4toAXXnCrr~_sDM",
 					},
 					path:       client.ClientsHandlerPath,
 					statusCode: http.StatusCreated,

client/validator.go

@@ -207,6 +207,9 @@ func (v *Validator) ValidateDynamicRegistration(ctx context.Context, c *Client)
 	if c.SkipConsent {
 		return errorsx.WithStack(ErrInvalidRequest.WithDescription(`"skip_consent" cannot be set for dynamic client registration`))
 	}
+	if c.SkipLogoutConsent.Valid {
+		return errorsx.WithStack(ErrInvalidRequest.WithDescription(`"skip_logout_consent" cannot be set for dynamic client registration`))
+	}
 
 	return v.Validate(ctx, c)
 }

internal/httpclient/api/openapi.yaml

@@ -2593,6 +2593,7 @@ components:
         sector_identifier_uri: sector_identifier_uri
         frontchannel_logout_session_required: true
         frontchannel_logout_uri: frontchannel_logout_uri
+        skip_logout_consent: true
         refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
         implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
         client_secret_expires_at: 0
@@ -2885,6 +2886,11 @@ components:
             SkipConsent skips the consent screen for this client. This field can only
             be set from the admin API.
           type: boolean
+        skip_logout_consent:
+          description: |-
+            SkipLogoutConsent skips the logout consent screen for this client. This field can only
+            be set from the admin API.
+          type: boolean
         subject_type:
           description: |-
             OpenID Connect Subject Type
@@ -3077,6 +3083,7 @@ components:
           sector_identifier_uri: sector_identifier_uri
           frontchannel_logout_session_required: true
           frontchannel_logout_uri: frontchannel_logout_uri
+          skip_logout_consent: true
           refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
           implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
           client_secret_expires_at: 0
@@ -3306,6 +3313,7 @@ components:
             sector_identifier_uri: sector_identifier_uri
             frontchannel_logout_session_required: true
             frontchannel_logout_uri: frontchannel_logout_uri
+            skip_logout_consent: true
             refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
             implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
             client_secret_expires_at: 0
@@ -3454,6 +3462,7 @@ components:
           sector_identifier_uri: sector_identifier_uri
           frontchannel_logout_session_required: true
           frontchannel_logout_uri: frontchannel_logout_uri
+          skip_logout_consent: true
           refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
           implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
           client_secret_expires_at: 0
@@ -3584,6 +3593,7 @@ components:
           sector_identifier_uri: sector_identifier_uri
           frontchannel_logout_session_required: true
           frontchannel_logout_uri: frontchannel_logout_uri
+          skip_logout_consent: true
           refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
           implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
           client_secret_expires_at: 0

internal/httpclient/docs/OAuth2Client.md

@@ -45,6 +45,7 @@ Name | Type | Description | Notes
 **Scope** | Pointer to **string** | OAuth 2.0 Client Scope  Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. | [optional] 
 **SectorIdentifierUri** | Pointer to **string** | OpenID Connect Sector Identifier URI  URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. | [optional] 
 **SkipConsent** | Pointer to **bool** | SkipConsent skips the consent screen for this client. This field can only be set from the admin API. | [optional] 
+**SkipLogoutConsent** | Pointer to **bool** | SkipLogoutConsent skips the logout consent screen for this client. This field can only be set from the admin API. | [optional] 
 **SubjectType** | Pointer to **string** | OpenID Connect Subject Type  The `subject_types_supported` Discovery parameter contains a list of the supported subject_type values for this server. Valid types include `pairwise` and `public`. | [optional] 
 **TokenEndpointAuthMethod** | Pointer to **string** | OAuth 2.0 Token Endpoint Authentication Method  Requested Client Authentication method for the Token Endpoint. The options are:  `client_secret_basic`: (default) Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` encoded in the HTTP Authorization header. `client_secret_post`: Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` in the HTTP body. `private_key_jwt`: Use JSON Web Tokens to authenticate the client. `none`: Used for public clients (native apps, mobile apps) which can not have secrets. | [optional] [default to "client_secret_basic"]
 **TokenEndpointAuthSigningAlg** | Pointer to **string** | OAuth 2.0 Token Endpoint Signing Algorithm  Requested Client Authentication signing algorithm for the Token Endpoint. | [optional] 
@@ -1116,6 +1117,31 @@ SetSkipConsent sets SkipConsent field to given value.
 
 HasSkipConsent returns a boolean if a field has been set.
 
+### GetSkipLogoutConsent
+
+`func (o *OAuth2Client) GetSkipLogoutConsent() bool`
+
+GetSkipLogoutConsent returns the SkipLogoutConsent field if non-nil, zero value otherwise.
+
+### GetSkipLogoutConsentOk
+
+`func (o *OAuth2Client) GetSkipLogoutConsentOk() (*bool, bool)`
+
+GetSkipLogoutConsentOk returns a tuple with the SkipLogoutConsent field if it's non-nil, zero value otherwise
+and a boolean to check if the value has been set.
+
+### SetSkipLogoutConsent
+
+`func (o *OAuth2Client) SetSkipLogoutConsent(v bool)`
+
+SetSkipLogoutConsent sets SkipLogoutConsent field to given value.
+
+### HasSkipLogoutConsent
+
+`func (o *OAuth2Client) HasSkipLogoutConsent() bool`
+
+HasSkipLogoutConsent returns a boolean if a field has been set.
+
 ### GetSubjectType
 
 `func (o *OAuth2Client) GetSubjectType() string`