Merge remote-tracking branch 'origin/master' into csrf

CHANGELOG.md

@@ -4,7 +4,7 @@
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 **Table of Contents**
 
-- [0.0.0 (2023-12-28)](#000-2023-12-28)
+- [0.0.0 (2024-01-08)](#000-2024-01-08)
     - [Bug Fixes](#bug-fixes)
     - [Documentation](#documentation)
     - [Features](#features)
@@ -703,7 +703,7 @@
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# [0.0.0](https://github.com/ory/hydra/compare/v2.2.0-rc.3...v0.0.0) (2023-12-28)
+# [0.0.0](https://github.com/ory/hydra/compare/v2.2.0-rc.3...v0.0.0) (2024-01-08)
 
 
 ### Bug Fixes
@@ -727,6 +727,8 @@
     * fix: bump golangci-lint
 
 * Improved SSRF protection ([#3669](https://github.com/ory/hydra/issues/3669)) ([24c3be5](https://github.com/ory/hydra/commit/24c3be574a11a76e69f09a24754f20cf644b624c))
+* Remove required mark ([#3693](https://github.com/ory/hydra/issues/3693)) ([3a764a0](https://github.com/ory/hydra/commit/3a764a053a3d7eab698668cf63d387ea76c1db40))
+* Timeout in jwt-bearer grants when too many grants are available ([#3692](https://github.com/ory/hydra/issues/3692)) ([a748797](https://github.com/ory/hydra/commit/a748797761f5503b048df1b57bcc406f16cd40a3))
 * Verifiable credentials JWT format ([#3614](https://github.com/ory/hydra/issues/3614)) ([0176adc](https://github.com/ory/hydra/commit/0176adc17848ab1dd021910ea31202dbdcd51737))
 
 ### Documentation
@@ -737,6 +739,7 @@
 
 * Add authentication options to hooks ([#3633](https://github.com/ory/hydra/issues/3633)) ([5c8e792](https://github.com/ory/hydra/commit/5c8e7923ed22f6d231ca748bb76e4261a87afb08))
 * Add flag to export public keys ([#3684](https://github.com/ory/hydra/issues/3684)) ([62c006b](https://github.com/ory/hydra/commit/62c006b916351e7f74fb00e0006ea112801143d7))
+* Add missing index for jwk table ([#3691](https://github.com/ory/hydra/issues/3691)) ([39ee5e1](https://github.com/ory/hydra/commit/39ee5e1f0cfa7fae5c4f9e1663a930cb5b8c2bc9))
 * Add prompt=registration ([#3636](https://github.com/ory/hydra/issues/3636)) ([19857d2](https://github.com/ory/hydra/commit/19857d20b1d7d3b918de5388f17076de0660a6be)):
 
     Ory Hydra now supports a `registration` value for the `prompt` parameter of

flow/consent_types.go

@@ -481,13 +481,9 @@ type LoginRequest struct {
 	ID string `json:"challenge"`
 
 	// RequestedScope contains the OAuth 2.0 Scope requested by the OAuth 2.0 Client.
-	//
-	// required: true
 	RequestedScope sqlxx.StringSliceJSONFormat `json:"requested_scope"`
 
 	// RequestedAudience contains the access token audience as requested by the OAuth 2.0 Client.
-	//
-	// required: true
 	RequestedAudience sqlxx.StringSliceJSONFormat `json:"requested_access_token_audience"`
 
 	// Skip, if true, implies that the client has requested the same scopes from the same user previously.

internal/httpclient/api/openapi.yaml

@@ -3470,8 +3470,6 @@ components:
       - challenge
       - client
       - request_url
-      - requested_access_token_audience
-      - requested_scope
       - skip
       - subject
       title: Contains information on an ongoing login request.

internal/httpclient/docs/OAuth2LoginRequest.md

@@ -8,8 +8,8 @@ Name | Type | Description | Notes
 **Client** | [**OAuth2Client**](OAuth2Client.md) |  | 
 **OidcContext** | Pointer to [**OAuth2ConsentRequestOpenIDConnectContext**](OAuth2ConsentRequestOpenIDConnectContext.md) |  | [optional] 
 **RequestUrl** | **string** | RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but might come in handy if you want to deal with additional request parameters. | 
-**RequestedAccessTokenAudience** | **[]string** |  | 
-**RequestedScope** | **[]string** |  | 
+**RequestedAccessTokenAudience** | Pointer to **[]string** |  | [optional] 
+**RequestedScope** | Pointer to **[]string** |  | [optional] 
 **SessionId** | Pointer to **string** | SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag) this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false) this will be a new random value. This value is used as the \"sid\" parameter in the ID Token and in OIDC Front-/Back- channel logout. It's value can generally be used to associate consecutive login requests by a certain user. | [optional] 
 **Skip** | **bool** | Skip, if true, implies that the client has requested the same scopes from the same user previously. If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.  This feature allows you to update / set session information. | 
 **Subject** | **string** | Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type when accepting the login request, or the request will fail. | 
@@ -18,7 +18,7 @@ Name | Type | Description | Notes
 
 ### NewOAuth2LoginRequest
 
-`func NewOAuth2LoginRequest(challenge string, client OAuth2Client, requestUrl string, requestedAccessTokenAudience []string, requestedScope []string, skip bool, subject string, ) *OAuth2LoginRequest`
+`func NewOAuth2LoginRequest(challenge string, client OAuth2Client, requestUrl string, skip bool, subject string, ) *OAuth2LoginRequest`
 
 NewOAuth2LoginRequest instantiates a new OAuth2LoginRequest object
 This constructor will assign default values to properties that have it defined,
@@ -137,6 +137,11 @@ and a boolean to check if the value has been set.
 
 SetRequestedAccessTokenAudience sets RequestedAccessTokenAudience field to given value.
 
+### HasRequestedAccessTokenAudience
+
+`func (o *OAuth2LoginRequest) HasRequestedAccessTokenAudience() bool`
+
+HasRequestedAccessTokenAudience returns a boolean if a field has been set.
 
 ### GetRequestedScope
 
@@ -157,6 +162,11 @@ and a boolean to check if the value has been set.
 
 SetRequestedScope sets RequestedScope field to given value.
 
+### HasRequestedScope
+
+`func (o *OAuth2LoginRequest) HasRequestedScope() bool`
+
+HasRequestedScope returns a boolean if a field has been set.
 
 ### GetSessionId
 

oauth2/fosite_store_helpers.go

@@ -1000,6 +1000,31 @@ func testFositeJWTBearerGrantStorage(x InternalRegistry) func(t *testing.T) {
 			require.NotNil(t, jwks)
 			require.NotEmpty(t, jwks.Keys)
 		})
+
+		t.Run("case=does not return expired values", func(t *testing.T) {
+			keySet, err := jwk.GenerateJWK(context.Background(), jose.RS256, "issuer-expired-key", "sig")
+			require.NoError(t, err)
+
+			publicKey := keySet.Keys[0].Public()
+			issuer := "expired-issuer"
+			grant := trust.Grant{
+				ID:              uuid.New(),
+				Issuer:          issuer,
+				Subject:         "",
+				AllowAnySubject: true,
+				Scope:           []string{"openid", "offline"},
+				PublicKey:       trust.PublicKey{Set: issuer, KeyID: publicKey.KeyID},
+				CreatedAt:       time.Now().UTC().Round(time.Second),
+				ExpiresAt:       time.Now().UTC().Round(time.Second).AddDate(-1, 0, 0),
+			}
+
+			err = grantManager.CreateGrant(context.TODO(), grant, publicKey)
+			require.NoError(t, err)
+
+			keys, err := grantStorage.GetPublicKeys(context.TODO(), issuer, "any-subject-3")
+			require.NoError(t, err)
+			assert.Len(t, keys.Keys, 0)
+		})
 	}
 }
 

persistence/sql/migrations/20240104181300000001_jwk_index.down.sql

@@ -0,0 +1,2 @@
+DROP INDEX hydra_jwk_nid_sid_created_at_idx;
+DROP INDEX hydra_jwk_nid_sid_kid_created_at_idx;

persistence/sql/migrations/20240104181300000001_jwk_index.up.sql

@@ -0,0 +1,2 @@
+CREATE INDEX hydra_jwk_nid_sid_created_at_idx ON hydra_jwk (nid, sid, created_at);
+CREATE INDEX hydra_jwk_nid_sid_kid_created_at_idx ON hydra_jwk (nid, sid, kid, created_at);

persistence/sql/persister_grant_jwk.go

@@ -133,11 +133,19 @@ func (p *Persister) GetPublicKeys(ctx context.Context, issuer string, subject st
 	ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.GetPublicKeys")
 	defer otelx.End(span, &err)
 
+	expiresAt := "expires_at > NOW()"
+	if p.conn.Dialect.Name() == "sqlite3" {
+		expiresAt = "expires_at > datetime('now')"
+	}
+
 	grantsData := make([]trust.SQLData, 0)
 	query := p.QueryWithNetwork(ctx).
+		Select("key_set", "key_id").
+		Where(expiresAt).
 		Where("issuer = ?", issuer).
 		Where("(subject = ? OR allow_any_subject IS TRUE)", subject).
-		Where("nid = ?", p.NetworkID(ctx))
+		Order("created_at DESC").
+		Limit(100) // Load maximum of 100 keys
 
 	if err := query.All(&grantsData); err != nil {
 		return nil, sqlcon.HandleError(err)

spec/api.json

@@ -1014,8 +1014,6 @@
         },
         "required": [
           "challenge",
-          "requested_scope",
-          "requested_access_token_audience",
           "skip",
           "subject",
           "client",

spec/swagger.json

@@ -2975,8 +2975,6 @@
       "title": "Contains information on an ongoing login request.",
       "required": [
         "challenge",
-        "requested_scope",
-        "requested_access_token_audience",
         "skip",
         "subject",
         "client",