feat: add a policy callback to customize OIDC credential linking

.grype.yaml

@@ -6,3 +6,4 @@ ignore:
   - vulnerability: CVE-2023-2650
   - vulnerability: CVE-2023-4813
   - vulnerability: CVE-2023-4806
+  - vulnerability: CVE-2025-0395 # no fix available

codecov.yml

@@ -2,7 +2,7 @@ coverage:
   status:
     project:
       default:
-        target: 65%
+        target: auto
         threshold: 10%
         only_pulls: true
 ignore:

internal/client-go/go.sum

@@ -4,6 +4,7 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

selfservice/strategy/oidc/strategy.go

@@ -13,6 +13,7 @@ import (
 	"path/filepath"
 	"slices"
 	"strings"
+	"testing"
 	"time"
 
 	"github.com/gofrs/uuid"
@@ -115,6 +116,23 @@ func isForced(req interface{}) bool {
 	return ok && f.IsRefresh()
 }
 
+// ConflictingIdentityVerdict encodes the decision on what to do on a oconflict
+// between an existing and a new identity.
+type ConflictingIdentityVerdict int
+
+const (
+	// ConflictingIdentityVerdictUnknown is the default value and should not be used.
+	ConflictingIdentityVerdictUnknown ConflictingIdentityVerdict = iota
+
+	// ConflictingIdentityVerdictReject rejects the new identity. The flow will
+	// continue with an explicit account linking step, where the user will need to
+	// confirm an existing credential on the identity.
+	ConflictingIdentityVerdictReject
+
+	// ConflictingIdentityVerdictMerge merges the new identity into the existing.
+	ConflictingIdentityVerdictMerge
+)
+
 // Strategy implements selfservice.LoginStrategy, selfservice.RegistrationStrategy and selfservice.SettingsStrategy.
 // It supports login, registration and settings via OpenID Providers.
 type Strategy struct {
@@ -124,6 +142,8 @@ type Strategy struct {
 	credType                    identity.CredentialsType
 	handleUnknownProviderError  func(err error) error
 	handleMethodNotAllowedError func(err error) error
+
+	conflictingIdentityPolicy func(existingIdentity, newIdentity *identity.Identity) ConflictingIdentityVerdict
 }
 
 type AuthCodeContainer struct {
@@ -224,6 +244,22 @@ func WithHandleMethodNotAllowedError(handler func(error) error) NewStrategyOpt {
 	return func(s *Strategy) { s.handleMethodNotAllowedError = handler }
 }
 
+// WithOnConflictingIdentity sets a policy handler for deciding what to do when a
+// new identity conflicts with an existing one during login.
+func WithOnConflictingIdentity(handler func(existingIdentity, newIdentity *identity.Identity) ConflictingIdentityVerdict) NewStrategyOpt {
+	return func(s *Strategy) { s.conflictingIdentityPolicy = handler }
+}
+
+// SetOnConflictingIdentity sets a policy handler for deciding what to do when a
+// new identity conflicts with an existing one during login. This should only be
+// called in tests.
+func (s *Strategy) SetOnConflictingIdentity(t testing.TB, handler func(existingIdentity, newIdentity *identity.Identity) ConflictingIdentityVerdict) {
+	if t == nil {
+		panic("this should only be called in tests")
+	}
+	s.conflictingIdentityPolicy = handler
+}
+
 func NewStrategy(d any, opts ...NewStrategyOpt) *Strategy {
 	s := &Strategy{
 		d:                           d.(Dependencies),
@@ -232,6 +268,7 @@ func NewStrategy(d any, opts ...NewStrategyOpt) *Strategy {
 		handleUnknownProviderError:  func(err error) error { return err },
 		handleMethodNotAllowedError: func(err error) error { return err },
 	}
+
 	for _, opt := range opts {
 		opt(s)
 	}

selfservice/strategy/oidc/strategy_login.go

@@ -28,6 +28,7 @@ import (
 	"github.com/ory/kratos/x"
 	"github.com/ory/x/otelx"
 	"github.com/ory/x/sqlcon"
+	"github.com/ory/x/sqlxx"
 	"github.com/ory/x/stringsx"
 )
 
@@ -98,71 +99,135 @@ type UpdateLoginFlowWithOidcMethod struct {
 	TransientPayload json.RawMessage `json:"transient_payload,omitempty" form:"transient_payload"`
 }
 
+func (s *Strategy) handleConflictingIdentity(ctx context.Context, w http.ResponseWriter, r *http.Request, loginFlow *login.Flow, token *identity.CredentialsOIDCEncryptedTokens, claims *Claims, provider Provider, container *AuthCodeContainer) (verdict ConflictingIdentityVerdict, id *identity.Identity, credentials *identity.Credentials, err error) {
+	if s.conflictingIdentityPolicy == nil {
+		return ConflictingIdentityVerdictReject, nil, nil, nil
+	}
+
+	// Find out if there is a conflicting identity
+	newIdentity, va, err := s.newIdentityFromClaims(ctx, claims, provider, container)
+	if err != nil {
+		return ConflictingIdentityVerdictReject, nil, nil, nil
+	}
+	// Validate the identity itself
+	if err := s.d.IdentityValidator().Validate(ctx, newIdentity); err != nil {
+		return ConflictingIdentityVerdictUnknown, nil, nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, newIdentity.Traits, err)
+	}
+
+	for n := range newIdentity.VerifiableAddresses {
+		verifiable := &newIdentity.VerifiableAddresses[n]
+		for _, verified := range va {
+			if verifiable.Via == verified.Via && verifiable.Value == verified.Value {
+				verifiable.Status = identity.VerifiableAddressStatusCompleted
+				verifiable.Verified = true
+				t := sqlxx.NullTime(time.Now().UTC().Round(time.Second))
+				verifiable.VerifiedAt = &t
+			}
+		}
+	}
+
+	creds, err := identity.NewCredentialsOIDC(token, provider.Config().ID, claims.Subject, provider.Config().OrganizationID)
+	if err != nil {
+		return ConflictingIdentityVerdictUnknown, nil, nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, newIdentity.Traits, err)
+	}
+
+	newIdentity.SetCredentials(s.ID(), *creds)
+
+	existingIdentity, _, _, err := s.d.IdentityManager().ConflictingIdentity(ctx, newIdentity)
+	if err != nil {
+		return ConflictingIdentityVerdictReject, nil, nil, nil
+	}
+
+	verdict = s.conflictingIdentityPolicy(existingIdentity, newIdentity)
+	if verdict == ConflictingIdentityVerdictMerge {
+		existingIdentity.SetCredentials(s.ID(), *creds)
+		if err := s.d.PrivilegedIdentityPool().UpdateIdentity(ctx, existingIdentity); err != nil {
+			return ConflictingIdentityVerdictUnknown, nil, nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, newIdentity.Traits, err)
+		}
+	}
+
+	return verdict, existingIdentity, creds, nil
+}
+
 func (s *Strategy) ProcessLogin(ctx context.Context, w http.ResponseWriter, r *http.Request, loginFlow *login.Flow, token *identity.CredentialsOIDCEncryptedTokens, claims *Claims, provider Provider, container *AuthCodeContainer) (_ *registration.Flow, err error) {
 	ctx, span := s.d.Tracer(ctx).Tracer().Start(ctx, "selfservice.strategy.oidc.Strategy.processLogin")
 	defer otelx.End(span, &err)
 
 	i, c, err := s.d.PrivilegedIdentityPool().FindByCredentialsIdentifier(ctx, s.ID(), identity.OIDCUniqueID(provider.Config().ID, claims.Subject))
 	if err != nil {
 		if errors.Is(err, sqlcon.ErrNoRows) {
-			// If no account was found we're "manually" creating a new registration flow and redirecting the browser
-			// to that endpoint.
-
-			// That will execute the "pre registration" hook which allows to e.g. disallow this request. The registration
-			// ui however will NOT be shown, instead the user is directly redirected to the auth path. That should then
-			// do a silent re-request. While this might be a bit excessive from a network perspective it should usually
-			// happen without any downsides to user experience as the flow has already been authorized and should
-			// not need additional consent/login.
-
-			// This is kinda hacky but the only way to ensure seamless login/registration flows when using OIDC.
-			s.d.
-				Logger().
-				WithField("provider", provider.Config().ID).
-				WithField("subject", claims.Subject).
-				Debug("Received successful OpenID Connect callback but user is not registered. Re-initializing registration flow now.")
-
-			// If return_to was set before, we need to preserve it.
-			var opts []registration.FlowOption
-			if len(loginFlow.ReturnTo) > 0 {
-				opts = append(opts, registration.WithFlowReturnTo(loginFlow.ReturnTo))
+			var verdict ConflictingIdentityVerdict
+			verdict, i, c, err = s.handleConflictingIdentity(ctx, w, r, loginFlow, token, claims, provider, container)
+			if err != nil {
+				return nil, err
 			}
+			switch verdict {
+			case ConflictingIdentityVerdictUnknown:
+				// This should never happen if err == nil, but just for safety:
+				return nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Unknown verdict"))
+			case ConflictingIdentityVerdictMerge:
+				// Do nothing
+			case ConflictingIdentityVerdictReject:
+				// If no account was found we're "manually" creating a new registration flow and redirecting the browser
+				// to that endpoint.
+
+				// That will execute the "pre registration" hook which allows to e.g. disallow this request. The registration
+				// ui however will NOT be shown, instead the user is directly redirected to the auth path. That should then
+				// do a silent re-request. While this might be a bit excessive from a network perspective it should usually
+				// happen without any downsides to user experience as the flow has already been authorized and should
+				// not need additional consent/login.
+
+				// This is kinda hacky but the only way to ensure seamless login/registration flows when using OIDC.
+				s.d.
+					Logger().
+					WithField("provider", provider.Config().ID).
+					WithField("subject", claims.Subject).
+					Debug("Received successful OpenID Connect callback but user is not registered. Re-initializing registration flow now.")
+
+				// If return_to was set before, we need to preserve it.
+				var opts []registration.FlowOption
+				if len(loginFlow.ReturnTo) > 0 {
+					opts = append(opts, registration.WithFlowReturnTo(loginFlow.ReturnTo))
+				}
 
-			if loginFlow.OAuth2LoginChallenge.String() != "" {
-				opts = append(opts, registration.WithFlowOAuth2LoginChallenge(loginFlow.OAuth2LoginChallenge.String()))
-			}
+				if loginFlow.OAuth2LoginChallenge.String() != "" {
+					opts = append(opts, registration.WithFlowOAuth2LoginChallenge(loginFlow.OAuth2LoginChallenge.String()))
+				}
 
-			registrationFlow, err := s.d.RegistrationHandler().NewRegistrationFlow(w, r, loginFlow.Type, opts...)
-			if err != nil {
-				return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err)
-			}
+				registrationFlow, err := s.d.RegistrationHandler().NewRegistrationFlow(w, r, loginFlow.Type, opts...)
+				if err != nil {
+					return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err)
+				}
 
-			err = s.d.SessionTokenExchangePersister().MoveToNewFlow(ctx, loginFlow.ID, registrationFlow.ID)
-			if err != nil {
-				return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err)
-			}
+				err = s.d.SessionTokenExchangePersister().MoveToNewFlow(ctx, loginFlow.ID, registrationFlow.ID)
+				if err != nil {
+					return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err)
+				}
 
-			registrationFlow.OrganizationID = loginFlow.OrganizationID
-			registrationFlow.IDToken = loginFlow.IDToken
-			registrationFlow.RawIDTokenNonce = loginFlow.RawIDTokenNonce
-			registrationFlow.TransientPayload = loginFlow.TransientPayload
-			registrationFlow.Active = s.ID()
+				registrationFlow.OrganizationID = loginFlow.OrganizationID
+				registrationFlow.IDToken = loginFlow.IDToken
+				registrationFlow.RawIDTokenNonce = loginFlow.RawIDTokenNonce
+				registrationFlow.TransientPayload = loginFlow.TransientPayload
+				registrationFlow.Active = s.ID()
 
-			// We are converting the flow here, but want to retain the original request URL.
-			registrationFlow.RequestURL = loginFlow.RequestURL
+				// We are converting the flow here, but want to retain the original request URL.
+				registrationFlow.RequestURL = loginFlow.RequestURL
 
-			if _, err := s.processRegistration(ctx, w, r, registrationFlow, token, claims, provider, container); err != nil {
-				return registrationFlow, err
+				if _, err := s.processRegistration(ctx, w, r, registrationFlow, token, claims, provider, container); err != nil {
+					return registrationFlow, err
+				}
+
+				return nil, nil
 			}
 
-			return nil, nil
+		} else {
+			return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err)
 		}
-
-		return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, err)
 	}
 
 	var oidcCredentials identity.CredentialsOIDC
 	if err := json.NewDecoder(bytes.NewBuffer(c.Config)).Decode(&oidcCredentials); err != nil {
-		return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("The password credentials could not be decoded properly").WithDebug(err.Error())))
+		return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("The OpenID Connect credentials could not be decoded properly").WithDebug(err.Error())))
 	}
 
 	sess := session.NewInactiveSession()
@@ -177,7 +242,7 @@ func (s *Strategy) ProcessLogin(ctx context.Context, w http.ResponseWriter, r *h
 		}
 	}
 
-	return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Unable to find matching OpenID Connect Credentials.").WithDebugf(`Unable to find credentials that match the given Provider "%s" and subject "%s".`, provider.Config().ID, claims.Subject)))
+	return nil, s.HandleError(ctx, w, r, loginFlow, provider.Config().ID, nil, errors.WithStack(herodot.ErrInternalServerError.WithReason("Unable to find matching OpenID Connect credentials.").WithDebugf(`Unable to find credentials that match the given provider "%s" and subject "%s".`, provider.Config().ID, claims.Subject)))
 }
 
 func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow, _ *session.Session) (i *identity.Identity, err error) {

selfservice/strategy/oidc/strategy_registration.go

@@ -315,13 +315,7 @@ func (s *Strategy) processRegistration(ctx context.Context, w http.ResponseWrite
 		return nil, nil
 	}
 
-	fetch := fetcher.NewFetcher(fetcher.WithClient(s.d.HTTPClient(ctx)), fetcher.WithCache(jsonnetCache, 60*time.Minute))
-	jsonnetMapperSnippet, err := fetch.FetchContext(ctx, provider.Config().Mapper)
-	if err != nil {
-		return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, nil, err)
-	}
-
-	i, va, err := s.createIdentity(ctx, w, r, rf, claims, provider, container, jsonnetMapperSnippet.Bytes())
+	i, va, err := s.newIdentityFromClaims(ctx, claims, provider, container)
 	if err != nil {
 		return nil, s.HandleError(ctx, w, r, rf, provider.Config().ID, nil, err)
 	}
@@ -356,47 +350,52 @@ func (s *Strategy) processRegistration(ctx context.Context, w http.ResponseWrite
 	return nil, nil
 }
 
-func (s *Strategy) createIdentity(ctx context.Context, w http.ResponseWriter, r *http.Request, a *registration.Flow, claims *Claims, provider Provider, container *AuthCodeContainer, jsonnetSnippet []byte) (*identity.Identity, []VerifiedAddress, error) {
+func (s *Strategy) newIdentityFromClaims(ctx context.Context, claims *Claims, provider Provider, container *AuthCodeContainer) (*identity.Identity, []VerifiedAddress, error) {
+	fetch := fetcher.NewFetcher(fetcher.WithClient(s.d.HTTPClient(ctx)), fetcher.WithCache(jsonnetCache, 60*time.Minute))
+	jsonnetSnippet, err := fetch.FetchContext(ctx, provider.Config().Mapper)
+	if err != nil {
+		return nil, nil, err
+	}
+
 	var jsonClaims bytes.Buffer
 	if err := json.NewEncoder(&jsonClaims).Encode(claims); err != nil {
-		return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, nil, err)
+		return nil, nil, err
 	}
 
 	vm, err := s.d.JsonnetVM(ctx)
 	if err != nil {
-		return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, nil, err)
+		return nil, nil, err
 	}
 
 	vm.ExtCode("claims", jsonClaims.String())
-	evaluated, err := vm.EvaluateAnonymousSnippet(provider.Config().Mapper, string(jsonnetSnippet))
+	evaluated, err := vm.EvaluateAnonymousSnippet(provider.Config().Mapper, jsonnetSnippet.String())
 	if err != nil {
-		return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, nil, err)
+		return nil, nil, err
 	}
 
 	i := identity.NewIdentity(s.d.Config().DefaultIdentityTraitsSchemaID(ctx))
-	if err := s.setTraits(ctx, w, r, a, provider, container, evaluated, i); err != nil {
-		return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, i.Traits, err)
+	if err := s.setTraits(provider, container, evaluated, i); err != nil {
+		return nil, nil, err
 	}
 
 	if err := s.setMetadata(evaluated, i, PublicMetadata); err != nil {
-		return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, i.Traits, err)
+		return nil, nil, err
 	}
 
 	if err := s.setMetadata(evaluated, i, AdminMetadata); err != nil {
-		return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, i.Traits, err)
+		return nil, nil, err
 	}
 
 	va, err := s.extractVerifiedAddresses(evaluated)
 	if err != nil {
-		return nil, nil, s.HandleError(ctx, w, r, a, provider.Config().ID, i.Traits, err)
+		return nil, nil, err
 	}
 
 	if orgID, err := uuid.FromString(provider.Config().OrganizationID); err == nil {
 		i.OrganizationID = uuid.NullUUID{UUID: orgID, Valid: true}
 	}
 
 	s.d.Logger().
-		WithRequest(r).
 		WithField("oidc_provider", provider.Config().ID).
 		WithSensitiveField("oidc_claims", claims).
 		WithSensitiveField("mapper_jsonnet_output", evaluated).
@@ -405,7 +404,7 @@ func (s *Strategy) createIdentity(ctx context.Context, w http.ResponseWriter, r
 	return i, va, nil
 }
 
-func (s *Strategy) setTraits(ctx context.Context, w http.ResponseWriter, r *http.Request, a *registration.Flow, provider Provider, container *AuthCodeContainer, evaluated string, i *identity.Identity) error {
+func (s *Strategy) setTraits(provider Provider, container *AuthCodeContainer, evaluated string, i *identity.Identity) error {
 	jsonTraits := gjson.Get(evaluated, "identity.traits")
 	if !jsonTraits.IsObject() {
 		return errors.WithStack(herodot.ErrInternalServerError.WithReasonf("OpenID Connect Jsonnet mapper did not return an object for key identity.traits. Please check your Jsonnet code!"))
@@ -414,15 +413,14 @@ func (s *Strategy) setTraits(ctx context.Context, w http.ResponseWriter, r *http
 	if container != nil {
 		traits, err := merge(container.Traits, json.RawMessage(jsonTraits.Raw))
 		if err != nil {
-			return s.HandleError(ctx, w, r, a, provider.Config().ID, nil, err)
+			return err
 		}
 
 		i.Traits = traits
 	} else {
 		i.Traits = identity.Traits(jsonTraits.Raw)
 	}
 	s.d.Logger().
-		WithRequest(r).
 		WithField("oidc_provider", provider.Config().ID).
 		WithSensitiveField("identity_traits", i.Traits).
 		WithSensitiveField("mapper_jsonnet_output", evaluated).