Merge branch 'master' into jonas-jonas/deflakeCRDBTests

CHANGELOG.md

@@ -5,7 +5,7 @@
 
 **Table of Contents**
 
-- [ (2024-04-05)](#2024-04-05)
+- [ (2024-04-16)](#2024-04-16)
   - [Breaking Changes](#breaking-changes)
     - [Bug Fixes](#bug-fixes)
     - [Features](#features)
@@ -322,7 +322,7 @@
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# [](https://github.com/ory/kratos/compare/v1.1.0...v) (2024-04-05)
+# [](https://github.com/ory/kratos/compare/v1.1.0...v) (2024-04-16)
 
 ## Breaking Changes
 
@@ -376,6 +376,8 @@ defaults to `false`.
 - Improve SDK discriminators
   ([#3844](https://github.com/ory/kratos/issues/3844))
   ([c08b3ad](https://github.com/ory/kratos/commit/c08b3ad76c5adb712c945cdbd92a9a51832e94b9))
+- Linkedin issuer override ([#3875](https://github.com/ory/kratos/issues/3875))
+  ([11d221a](https://github.com/ory/kratos/commit/11d221a4d33878930ca7025ae1b5c18b25dd1add))
 - Make sure emails can still be sent with SMS enabled
   ([#3795](https://github.com/ory/kratos/issues/3795))
   ([7c68c5a](https://github.com/ory/kratos/commit/7c68c5aa69ed76a84a37a37a3555277ddc772cf8))
@@ -414,6 +416,9 @@ defaults to `false`.
   user-controlled and these endpoints could not be used fully due to the backend
   ignoring any value other than `true` (all lowercase).
 
+- Use correct post-verification identity state in post-hooks
+  ([#3863](https://github.com/ory/kratos/issues/3863))
+  ([6e63d06](https://github.com/ory/kratos/commit/6e63d06db1cd1ab62f8a2d0b202ec74572420204))
 - Webhook transient payload in OIDC login flows
   ([#3857](https://github.com/ory/kratos/issues/3857))
   ([2cdfc70](https://github.com/ory/kratos/commit/2cdfc70c726a166790b98d419895f0396d13176f)):
@@ -427,6 +432,9 @@ defaults to `false`.
   ([d94530a](https://github.com/ory/kratos/commit/d94530a716358895b01b65babd77226fab69f494))
 - Add headers to web hooks ([#3849](https://github.com/ory/kratos/issues/3849))
   ([4642de0](https://github.com/ory/kratos/commit/4642de0cfd1fb15bc48c7093be9449abd488755c))
+- Add session to post login webhook
+  ([#3877](https://github.com/ory/kratos/issues/3877))
+  ([386078e](https://github.com/ory/kratos/commit/386078e0b5c74c54ce2c7dc6fd12fd865817b87a))
 - Add transient payloads to all flows
   ([#3738](https://github.com/ory/kratos/issues/3738))
   ([b8b747b](https://github.com/ory/kratos/commit/b8b747b2adc59c8cf938a0ee30accdb4135634b8))
@@ -459,6 +467,8 @@ defaults to `false`.
 
 ### Tests
 
+- Deflake session test ([#3864](https://github.com/ory/kratos/issues/3864))
+  ([6b275f3](https://github.com/ory/kratos/commit/6b275f35a0732ffb723d47df5b6afbdc06eaf71f))
 - Resolve failing test for empty tokens
   ([#3775](https://github.com/ory/kratos/issues/3775))
   ([7277368](https://github.com/ory/kratos/commit/7277368bc28df8f0badffc7e739cef20f05e9a02))

selfservice/hook/stub/test_body.jsonnet

@@ -1,6 +1,7 @@
 function(ctx) std.prune({
   flow_id: ctx.flow.id,
   identity_id: if std.objectHas(ctx, "identity") then ctx.identity.id,
+  session_id: if std.objectHas(ctx, "session") then ctx.session.id,
   headers: ctx.request_headers,
   url: ctx.request_url,
   method: ctx.request_method,

selfservice/hook/web_hook.go

@@ -81,6 +81,7 @@ type (
 		RequestURL     string             `json:"request_url"`
 		RequestCookies map[string]string  `json:"request_cookies"`
 		Identity       *identity.Identity `json:"identity,omitempty"`
+		Session        *session.Session   `json:"session,omitempty"`
 	}
 
 	WebHook struct {
@@ -140,6 +141,7 @@ func (e *WebHook) ExecuteLoginPostHook(_ http.ResponseWriter, req *http.Request,
 			RequestURL:     x.RequestURL(req).String(),
 			RequestCookies: cookies(req),
 			Identity:       session.Identity,
+			Session:        session,
 		})
 	})
 }

selfservice/hook/web_hook_integration_test.go

@@ -148,6 +148,24 @@ func TestWebHooks(t *testing.T) {
 				}`, f.GetID(), s.Identity.ID, string(h), req.Method, "http://www.ory.sh/some_end_point", string(tp))
 	}
 
+	bodyWithFlowAndIdentityAndSessionAndTransientPayload := func(req *http.Request, f flow.Flow, s *session.Session, tp json.RawMessage) string {
+		h, _ := json.Marshal(req.Header)
+		return fmt.Sprintf(`{
+					"flow_id": "%s",
+					"identity_id": "%s",
+					"session_id": "%s",
+					"headers": %s,
+					"method": "%s",
+					"url": "%s",
+					"cookies": {
+						"Some-Cookie-1": "Some-Cookie-Value",
+						"Some-Cookie-2": "Some-other-Cookie-Value",
+						"Some-Cookie-3": "Third-Cookie-Value"
+					},
+					"transient_payload": %s
+				}`, f.GetID(), s.Identity.ID, s.ID, string(h), req.Method, "http://www.ory.sh/some_end_point", string(tp))
+	}
+
 	for _, tc := range []struct {
 		uc           string
 		callWebHook  func(wh *hook.WebHook, req *http.Request, f flow.Flow, s *session.Session) error
@@ -171,7 +189,7 @@ func TestWebHooks(t *testing.T) {
 				return wh.ExecuteLoginPostHook(nil, req, node.PasswordGroup, f.(*login.Flow), s)
 			},
 			expectedBody: func(req *http.Request, f flow.Flow, s *session.Session) string {
-				return bodyWithFlowAndIdentityAndTransientPayload(req, f, s, transientPayload)
+				return bodyWithFlowAndIdentityAndSessionAndTransientPayload(req, f, s, transientPayload)
 			},
 		},
 		{

selfservice/strategy/oidc/provider_linkedin_v2.go

@@ -3,45 +3,15 @@
 
 package oidc
 
-import (
-	"context"
-	"net/url"
-
-	gooidc "github.com/coreos/go-oidc/v3/oidc"
-	"golang.org/x/oauth2"
-)
-
-type ProviderLinkedInV2 struct {
-	*ProviderGenericOIDC
-}
-
 func NewProviderLinkedInV2(
 	config *Configuration,
 	reg Dependencies,
 ) Provider {
 	config.ClaimsSource = ClaimsSourceUserInfo
 	config.IssuerURL = "https://www.linkedin.com/oauth"
 
-	return &ProviderLinkedInV2{
-		ProviderGenericOIDC: &ProviderGenericOIDC{
-			config: config,
-			reg:    reg,
-		},
+	return &ProviderGenericOIDC{
+		config: config,
+		reg:    reg,
 	}
 }
-
-func (l *ProviderLinkedInV2) wrapCtx(ctx context.Context) context.Context {
-	// We need to overwrite the issuer here because the discovery URL is under
-	// `https://www.linkedin.com/oauth/.well-known/openid-configuration`, wherease
-	// the issuer is `https://www.linkedin.com` (without the `/oauth`). This is
-	// not conformant according to the OIDC spec, but needed for LinkedIn.
-	return gooidc.InsecureIssuerURLContext(ctx, "https://www.linkedin.com")
-}
-
-func (l *ProviderLinkedInV2) OAuth2(ctx context.Context) (*oauth2.Config, error) {
-	return l.ProviderGenericOIDC.OAuth2(l.wrapCtx(ctx))
-}
-
-func (l *ProviderLinkedInV2) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error) {
-	return l.ProviderGenericOIDC.Claims(l.wrapCtx(ctx), exchange, query)
-}

session/handler_test.go

@@ -187,7 +187,14 @@ func TestSessionWhoAmI(t *testing.T) {
 						if maxAge > 0 {
 							assert.Equal(t, fmt.Sprintf("%0.f", maxAge.Seconds()), res.Header.Get("Ory-Session-Cache-For"))
 						} else {
-							assert.Equal(t, fmt.Sprintf("%0.f", conf.SessionLifespan(ctx).Seconds()), res.Header.Get("Ory-Session-Cache-For"))
+							// parse int to string from Ory-Session-Cache-For
+							parsed, err := strconv.Atoi(res.Header.Get("Ory-Session-Cache-For"))
+							require.NoError(t, err)
+							lifespan := conf.SessionLifespan(ctx).Seconds()
+							// We need to account for the time it takes to make the request, as depending on the system it might take a few more ms which leads to the value being off by a second or more.
+							assert.Condition(t, func() bool {
+								return parsed > int(lifespan-5) && parsed <= int(lifespan)
+							}, "Expected the value of the Ory-Session-Cache-For header to be roughly around the configured lifespan. Got parsed: %d, lifespan: %d", parsed, int(lifespan))
 						}
 					} else {
 						assert.Empty(t, res.Header.Get("Ory-Session-Cache-For"))