feat: add token request hooks for all grant types

[sgal]

Added a generic token hook that is called for all grant types and includes payload with a single allowed value - assertion to cover the jwt-bearer grant type customization.

Existing refresh hook is left unchanged and will be deprecated in favor of the new hook.

Related issue(s)

#3244
ory/fosite#729

This change completes and extends the work done in #3254

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

Docs update PR - ory/docs#1241

[codecov]

Codecov Report

Merging #3427 (4b341d8) into master (a663927) will decrease coverage by 0.01%.
The diff coverage is 71.76%.

❗ Current head 4b341d8 differs from pull request most recent head d06cdf0. Consider uploading reports for the commit d06cdf0 to get more accurate results

@@            Coverage Diff             @@
##           master    #3427      +/-   ##
==========================================
- Coverage   76.83%   76.82%   -0.01%     
==========================================
  Files         123      124       +1     
  Lines        9125     9160      +35     
==========================================
+ Hits         7011     7037      +26     
- Misses       1666     1673       +7     
- Partials      448      450       +2     

Impacted Files	Coverage Δ
oauth2/refresh_hook.go	67.64% <60.00%> (ø)
oauth2/token_hook.go	71.05% <71.05%> (ø)
driver/config/provider.go	81.85% <100.00%> (ø)
driver/registry_base.go	85.98% <100.00%> (+0.05%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[hperl]

This looks very good! I just had some minor questions & suggestions.

[sgal]

@hperl I fixed the comments, please have a look!

[hperl]

LGTM! 🎉

[aeneasr]

Very nice changes, just two minor remarks

[sgal]

@aeneasr I fixed the following parts:

• Remove client_secret from the payload that is sent to the webhook
• Only send the payload in the jwt-bearer grant type
• Remove the data duplication in the webhook request

Please have a look.

[sgal]

Docs are also updated - ory/docs#1241

[aeneasr]

Do we need all of these config elements? Maybe it makes more sense to have one endpoint and pass the grant type and let the webhook deal with that?

[sgal]

Yeah, that makes much more sense. Let me take a stab at it.

[aeneasr]

Awesome thanks :)

[aeneasr]

To keep backwards compatibility we could also just add a new key "hook" and deprecate the refresh token hook at some point. That way we don't break BC?

[sgal]

@aeneasr Changed to having a generic token hook config, along with the existing one. Cleaned up the request payload for the new hook to remove duplication.

[aeneasr]

Very nice

[sgal]

@fehrnah FYI, it's finally in! Thanks for laying the foundation for this feature 👍

[fehrnah]

@fehrnah FYI, it's finally in! Thanks for laying the foundation for this feature 👍

Congratulations!

[aeneasr]

Thank you both :)