Skip to content

Commit

Permalink
feat: link credentials when second login is OIDC (CORE-2041)
Browse files Browse the repository at this point in the history
  • Loading branch information
splaunov committed May 8, 2023
1 parent 4d2551e commit c06f46b
Show file tree
Hide file tree
Showing 5 changed files with 290 additions and 172 deletions.
94 changes: 0 additions & 94 deletions selfservice/flow/login/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,8 @@
package login

import (
"context"
_ "embed"
"encoding/json"
"fmt"
"github.com/tidwall/gjson"
"github.com/tidwall/sjson"
"net/http"
Expand Down Expand Up @@ -68,7 +66,6 @@ type (
x.CSRFProvider
config.Provider
ErrorHandlerProvider
identity.PrivilegedPoolProvider
}
HandlerProvider interface {
LoginHandler() *Handler
Expand Down Expand Up @@ -755,11 +752,6 @@ continueLogin:
sess = session.NewInactiveSession()
}

if err := h.linkCredentials(r, sess, interim, f); err != nil {
h.d.LoginFlowErrorHandler().WriteFlowError(w, r, f, group, err)
return
}

method := ss.CompletedAuthenticationMethod(r.Context())
sess.CompletedLoginFor(method.Method, method.AAL)
i = interim
Expand All @@ -781,89 +773,3 @@ continueLogin:
return
}
}

func (h *Handler) linkCredentials(r *http.Request, s *session.Session, i *identity.Identity, f *Flow) error {
var lc flow.RegistrationDuplicateCredentials

var p struct {
FlowID string `json:"linkCredentialsFlow" form:"linkCredentialsFlow"`
}

if err := h.hd.Decode(r, &p,
decoderx.HTTPDecoderSetValidatePayloads(true),
decoderx.MustHTTPRawJSONSchemaCompiler(linkCredentialsSchema),
decoderx.HTTPDecoderJSONFollowsFormFormat()); err != nil {
return err
}

if p.FlowID != "" {
linkCredentialsFlowID, innerErr := uuid.FromString(p.FlowID)
if innerErr != nil {
return innerErr
}
linkCredentialsFlow, innerErr := h.d.LoginFlowPersister().GetLoginFlow(r.Context(), linkCredentialsFlowID)
if innerErr != nil {
return innerErr
}
innerErr = h.getInternalContextLinkCredentials(linkCredentialsFlow, flow.InternalContextDuplicateCredentialsPath, &lc)
if innerErr != nil {
return innerErr
}
}

if lc.CredentialsType == "" {
err := h.getInternalContextLinkCredentials(f, flow.InternalContextLinkCredentialsPath, &lc)
if err != nil {
return err
}
}

if lc.CredentialsType != "" {
if err := h.checkDuplecateCredentialsIdentifierMatch(r.Context(), i.ID, lc.DuplicateIdentifier); err != nil {
return err
}
strategy, err := h.d.AllLoginStrategies().Strategy(lc.CredentialsType)
if err != nil {
return err
}

linkableStrategy, ok := strategy.(LinkableStrategy)
if !ok {
return errors.New(fmt.Sprintf("Strategy is not linkable: %T", linkableStrategy))
}

if err := linkableStrategy.Link(r.Context(), i, lc.CredentialsConfig); err != nil {
return err
}

method := strategy.CompletedAuthenticationMethod(r.Context())
s.CompletedLoginFor(method.Method, method.AAL)
}

return nil
}

func (h *Handler) getInternalContextLinkCredentials(f *Flow, internalContextPath string, lc *flow.RegistrationDuplicateCredentials) error {
internalContextLinkCredentials := gjson.GetBytes(f.InternalContext, internalContextPath)
if internalContextLinkCredentials.IsObject() {
if err := json.Unmarshal([]byte(internalContextLinkCredentials.Raw), lc); err != nil {
return err
}
}
return nil
}

func (h *Handler) checkDuplecateCredentialsIdentifierMatch(ctx context.Context, identityID uuid.UUID, match string) error {
i, err := h.d.PrivilegedIdentityPool().GetIdentityConfidential(ctx, identityID)
if err != nil {
return err
}
for _, credentials := range i.Credentials {
for _, identifier := range credentials.Identifiers {
if identifier == match {
return nil
}
}
}
return schema.NewLinkedCredentialsDoNotMatch()
}
100 changes: 100 additions & 0 deletions selfservice/flow/login/hook.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,12 @@ package login

import (
"context"
"encoding/json"
"fmt"
"github.com/gofrs/uuid"
"github.com/ory/kratos/schema"
"github.com/ory/x/decoderx"
"github.com/tidwall/gjson"
"net/http"
"time"

Expand Down Expand Up @@ -43,13 +48,16 @@ type (
executorDependencies interface {
config.Provider
hydra.HydraProvider
identity.PrivilegedPoolProvider
session.ManagementProvider
session.PersistenceProvider
x.CSRFTokenGeneratorProvider
x.WriterProvider
x.LoggingProvider

FlowPersistenceProvider
HooksProvider
StrategyProvider
}
HookExecutor struct {
d executorDependencies
Expand Down Expand Up @@ -110,6 +118,10 @@ func (e *HookExecutor) handleLoginError(_ http.ResponseWriter, r *http.Request,
}

func (e *HookExecutor) PostLoginHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *Flow, i *identity.Identity, s *session.Session) error {
if err := e.linkCredentials(r, s, i, a); err != nil {
return err
}

if err := s.Activate(r, i, e.d.Config(), time.Now().UTC()); err != nil {
return err
}
Expand Down Expand Up @@ -250,3 +262,91 @@ func (e *HookExecutor) PreLoginHook(w http.ResponseWriter, r *http.Request, a *F

return nil
}

func (e *HookExecutor) linkCredentials(r *http.Request, s *session.Session, i *identity.Identity, f *Flow) error {
var lc flow.RegistrationDuplicateCredentials

if r.Method == "POST" {
var p struct {
FlowID string `json:"linkCredentialsFlow" form:"linkCredentialsFlow"`
}

if err := decoderx.NewHTTP().Decode(r, &p,
decoderx.HTTPDecoderSetValidatePayloads(true),
decoderx.MustHTTPRawJSONSchemaCompiler(linkCredentialsSchema),
decoderx.HTTPDecoderJSONFollowsFormFormat()); err != nil {
return err
}

if p.FlowID != "" {
linkCredentialsFlowID, innerErr := uuid.FromString(p.FlowID)
if innerErr != nil {
return innerErr
}
linkCredentialsFlow, innerErr := e.d.LoginFlowPersister().GetLoginFlow(r.Context(), linkCredentialsFlowID)
if innerErr != nil {
return innerErr
}
innerErr = e.getInternalContextLinkCredentials(linkCredentialsFlow, flow.InternalContextDuplicateCredentialsPath, &lc)
if innerErr != nil {
return innerErr
}
}
}

if lc.CredentialsType == "" {
err := e.getInternalContextLinkCredentials(f, flow.InternalContextLinkCredentialsPath, &lc)
if err != nil {
return err
}
}

if lc.CredentialsType != "" {
if err := e.checkDuplecateCredentialsIdentifierMatch(r.Context(), i.ID, lc.DuplicateIdentifier); err != nil {
return err
}
strategy, err := e.d.AllLoginStrategies().Strategy(lc.CredentialsType)
if err != nil {
return err
}

linkableStrategy, ok := strategy.(LinkableStrategy)
if !ok {
return errors.New(fmt.Sprintf("Strategy is not linkable: %T", linkableStrategy))
}

if err := linkableStrategy.Link(r.Context(), i, lc.CredentialsConfig); err != nil {
return err
}

method := strategy.CompletedAuthenticationMethod(r.Context())
s.CompletedLoginFor(method.Method, method.AAL)
}

return nil
}

func (e *HookExecutor) getInternalContextLinkCredentials(f *Flow, internalContextPath string, lc *flow.RegistrationDuplicateCredentials) error {
internalContextLinkCredentials := gjson.GetBytes(f.InternalContext, internalContextPath)
if internalContextLinkCredentials.IsObject() {
if err := json.Unmarshal([]byte(internalContextLinkCredentials.Raw), lc); err != nil {
return err
}
}
return nil
}

func (e *HookExecutor) checkDuplecateCredentialsIdentifierMatch(ctx context.Context, identityID uuid.UUID, match string) error {
i, err := e.d.PrivilegedIdentityPool().GetIdentityConfidential(ctx, identityID)
if err != nil {
return err
}
for _, credentials := range i.Credentials {
for _, identifier := range credentials.Identifiers {
if identifier == match {
return nil
}
}
}
return schema.NewLinkedCredentialsDoNotMatch()
}
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,28 @@
}
}
},
{
"type": "input",
"group": "oidc",
"attributes": {
"name": "provider",
"type": "submit",
"value": "secondProvider",
"disabled": false,
"node_type": "input"
},
"messages": [],
"meta": {
"label": {
"id": 1010002,
"text": "Sign in with secondProvider",
"type": "info",
"context": {
"provider": "secondProvider"
}
}
}
},
{
"type": "input",
"group": "oidc",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,28 @@
}
}
},
{
"type": "input",
"group": "oidc",
"attributes": {
"name": "provider",
"type": "submit",
"value": "secondProvider",
"disabled": false,
"node_type": "input"
},
"messages": [],
"meta": {
"label": {
"id": 1040002,
"text": "Sign up with secondProvider",
"type": "info",
"context": {
"provider": "secondProvider"
}
}
}
},
{
"type": "input",
"group": "oidc",
Expand Down
Loading

0 comments on commit c06f46b

Please sign in to comment.