feat: add skip_logout_consent option to clients (#3705)

Adds a special field which disables the logout consent screen when performing OIDC logout.

client/.snapshots/TestHandler-common-case=create_clients-case=0-description=basic_dynamic_client_registration.json

@@ -21,6 +21,7 @@
   "userinfo_signed_response_alg": "none",
   "metadata": {},
   "skip_consent": false,
+  "skip_logout_consent": null,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=1-description=basic_admin_registration.json

@@ -24,6 +24,7 @@
     "foo": "bar"
   },
   "skip_consent": false,
+  "skip_logout_consent": null,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=10-description=setting_skip_logout_consent_succeeds_for_admin_registration.json

@@ -0,0 +1,36 @@
+{
+  "client_name": "",
+  "client_secret": "2SKZkBf2P5g4toAXXnCrr~_sDM",
+  "redirect_uris": [
+    "http://localhost:3000/cb"
+  ],
+  "grant_types": null,
+  "response_types": null,
+  "scope": "offline_access offline openid",
+  "audience": [],
+  "owner": "",
+  "policy_uri": "",
+  "allowed_cors_origins": [],
+  "tos_uri": "",
+  "client_uri": "",
+  "logo_uri": "",
+  "contacts": null,
+  "client_secret_expires_at": 0,
+  "subject_type": "public",
+  "jwks": {},
+  "token_endpoint_auth_method": "client_secret_basic",
+  "userinfo_signed_response_alg": "none",
+  "metadata": {},
+  "skip_consent": false,
+  "skip_logout_consent": true,
+  "authorization_code_grant_access_token_lifespan": null,
+  "authorization_code_grant_id_token_lifespan": null,
+  "authorization_code_grant_refresh_token_lifespan": null,
+  "client_credentials_grant_access_token_lifespan": null,
+  "implicit_grant_access_token_lifespan": null,
+  "implicit_grant_id_token_lifespan": null,
+  "jwt_bearer_grant_access_token_lifespan": null,
+  "refresh_token_grant_id_token_lifespan": null,
+  "refresh_token_grant_access_token_lifespan": null,
+  "refresh_token_grant_refresh_token_lifespan": null
+}

client/.snapshots/TestHandler-common-case=create_clients-case=11-description=basic_dynamic_client_registration.json

@@ -0,0 +1,4 @@
+{
+  "error": "The request was malformed or contained invalid parameters",
+  "error_description": "It is not allowed to choose your own OAuth2 Client secret."
+}

client/.snapshots/TestHandler-common-case=create_clients-case=12-description=empty_ID_succeeds.json

@@ -0,0 +1,36 @@
+{
+  "client_name": "",
+  "client_secret": "averylongsecret",
+  "redirect_uris": [
+    "http://localhost:3000/cb"
+  ],
+  "grant_types": null,
+  "response_types": null,
+  "scope": "offline_access offline openid",
+  "audience": [],
+  "owner": "",
+  "policy_uri": "",
+  "allowed_cors_origins": [],
+  "tos_uri": "",
+  "client_uri": "",
+  "logo_uri": "",
+  "contacts": null,
+  "client_secret_expires_at": 0,
+  "subject_type": "public",
+  "jwks": {},
+  "token_endpoint_auth_method": "client_secret_basic",
+  "userinfo_signed_response_alg": "none",
+  "metadata": {},
+  "skip_consent": false,
+  "skip_logout_consent": null,
+  "authorization_code_grant_access_token_lifespan": null,
+  "authorization_code_grant_id_token_lifespan": null,
+  "authorization_code_grant_refresh_token_lifespan": null,
+  "client_credentials_grant_access_token_lifespan": null,
+  "implicit_grant_access_token_lifespan": null,
+  "implicit_grant_id_token_lifespan": null,
+  "jwt_bearer_grant_access_token_lifespan": null,
+  "refresh_token_grant_id_token_lifespan": null,
+  "refresh_token_grant_access_token_lifespan": null,
+  "refresh_token_grant_refresh_token_lifespan": null
+}

client/.snapshots/TestHandler-common-case=create_clients-case=4-description=non-uuid_works.json

@@ -24,6 +24,7 @@
   "metadata": {},
   "registration_client_uri": "http://localhost:4444/oauth2/register/not-a-uuid",
   "skip_consent": false,
+  "skip_logout_consent": null,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=5-description=setting_client_id_as_uuid_works.json

@@ -24,6 +24,7 @@
   "metadata": {},
   "registration_client_uri": "http://localhost:4444/oauth2/register/98941dac-f963-4468-8a23-9483b1e04e3c",
   "skip_consent": false,
+  "skip_logout_consent": null,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=create_clients-case=8-description=setting_skip_consent_succeeds_for_admin_registration.json

@@ -0,0 +1,36 @@
+{
+  "client_name": "",
+  "client_secret": "2SKZkBf2P5g4toAXXnCrr~_sDM",
+  "redirect_uris": [
+    "http://localhost:3000/cb"
+  ],
+  "grant_types": null,
+  "response_types": null,
+  "scope": "offline_access offline openid",
+  "audience": [],
+  "owner": "",
+  "policy_uri": "",
+  "allowed_cors_origins": [],
+  "tos_uri": "",
+  "client_uri": "",
+  "logo_uri": "",
+  "contacts": null,
+  "client_secret_expires_at": 0,
+  "subject_type": "public",
+  "jwks": {},
+  "token_endpoint_auth_method": "client_secret_basic",
+  "userinfo_signed_response_alg": "none",
+  "metadata": {},
+  "skip_consent": true,
+  "skip_logout_consent": null,
+  "authorization_code_grant_access_token_lifespan": null,
+  "authorization_code_grant_id_token_lifespan": null,
+  "authorization_code_grant_refresh_token_lifespan": null,
+  "client_credentials_grant_access_token_lifespan": null,
+  "implicit_grant_access_token_lifespan": null,
+  "implicit_grant_id_token_lifespan": null,
+  "jwt_bearer_grant_access_token_lifespan": null,
+  "refresh_token_grant_id_token_lifespan": null,
+  "refresh_token_grant_access_token_lifespan": null,
+  "refresh_token_grant_refresh_token_lifespan": null
+}

client/.snapshots/TestHandler-common-case=create_clients-case=9-description=setting_skip_logout_consent_fails_for_dynamic_registration.json

@@ -0,0 +1,4 @@
+{
+  "error": "invalid_request",
+  "error_description": "'skip_logout_consent' cannot be set for dynamic client registration"
+}

client/.snapshots/TestHandler-common-case=fetching_existing_client-endpoint=admin.json

@@ -22,6 +22,7 @@
     "userinfo_signed_response_alg": "none",
     "metadata": {},
     "skip_consent": false,
+    "skip_logout_consent": null,
     "authorization_code_grant_access_token_lifespan": null,
     "authorization_code_grant_id_token_lifespan": null,
     "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=fetching_existing_client-endpoint=selfservice.json

@@ -21,6 +21,7 @@
     "token_endpoint_auth_method": "client_secret_basic",
     "userinfo_signed_response_alg": "none",
     "skip_consent": false,
+    "skip_logout_consent": null,
     "authorization_code_grant_access_token_lifespan": null,
     "authorization_code_grant_id_token_lifespan": null,
     "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=update_the_lifespans_of_an_OAuth2_client.json

@@ -22,6 +22,7 @@
     "userinfo_signed_response_alg": "none",
     "metadata": {},
     "skip_consent": false,
+    "skip_logout_consent": null,
     "authorization_code_grant_access_token_lifespan": "31h0m0s",
     "authorization_code_grant_id_token_lifespan": "32h0m0s",
     "authorization_code_grant_refresh_token_lifespan": "33h0m0s",

client/.snapshots/TestHandler-common-case=updating_existing_client-endpoint=admin.json

@@ -24,6 +24,7 @@
     "userinfo_signed_response_alg": "none",
     "metadata": {},
     "skip_consent": false,
+    "skip_logout_consent": null,
     "authorization_code_grant_access_token_lifespan": null,
     "authorization_code_grant_id_token_lifespan": null,
     "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-common-case=updating_existing_client-endpoint=dynamic_client_registration.json

@@ -23,6 +23,7 @@
     "userinfo_signed_response_alg": "none",
     "metadata": {},
     "skip_consent": false,
+    "skip_logout_consent": null,
     "authorization_code_grant_access_token_lifespan": null,
     "authorization_code_grant_id_token_lifespan": null,
     "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-create_client_registration_tokens-case=0-dynamic=true.json

@@ -17,6 +17,7 @@
   "jwks": {},
   "metadata": {},
   "skip_consent": false,
+  "skip_logout_consent": null,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-create_client_registration_tokens-case=1-dynamic=false.json

@@ -17,6 +17,7 @@
   "jwks": {},
   "metadata": {},
   "skip_consent": false,
+  "skip_logout_consent": null,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/.snapshots/TestHandler-create_client_registration_tokens-case=2-dynamic=false.json

@@ -18,6 +18,7 @@
   "jwks": {},
   "metadata": {},
   "skip_consent": false,
+  "skip_logout_consent": null,
   "authorization_code_grant_access_token_lifespan": null,
   "authorization_code_grant_id_token_lifespan": null,
   "authorization_code_grant_refresh_token_lifespan": null,

client/client.go

@@ -311,6 +311,10 @@ type Client struct {
 	// be set from the admin API.
 	SkipConsent bool `json:"skip_consent" db:"skip_consent" faker:"-"`
 
+	// SkipLogoutConsent skips the logout consent screen for this client. This field can only
+	// be set from the admin API.
+	SkipLogoutConsent sqlxx.NullBool `json:"skip_logout_consent" db:"skip_logout_consent" faker:"-"`
+
 	Lifespans
 }
 

client/handler_test.go

@@ -13,6 +13,8 @@ import (
 	"net/http/httptest"
 	"testing"
 
+	"github.com/ory/x/sqlxx"
+
 	"github.com/ory/x/httprouterx"
 
 	"github.com/tidwall/sjson"
@@ -347,11 +349,30 @@ func TestHandler(t *testing.T) {
 					statusCode: http.StatusBadRequest,
 				},
 				{
-					d: "setting skip_consent suceeds for admin registration",
+					d: "setting skip_consent succeeds for admin registration",
 					payload: &client.Client{
 						RedirectURIs: []string{"http://localhost:3000/cb"},
-						SkipConsent:  true,
 						Secret:       "2SKZkBf2P5g4toAXXnCrr~_sDM",
+						SkipConsent:  true,
+					},
+					path:       client.ClientsHandlerPath,
+					statusCode: http.StatusCreated,
+				},
+				{
+					d: "setting skip_logout_consent fails for dynamic registration",
+					payload: &client.Client{
+						RedirectURIs:      []string{"http://localhost:3000/cb"},
+						SkipLogoutConsent: sqlxx.NullBool{Bool: true, Valid: true},
+					},
+					path:       client.DynClientsHandlerPath,
+					statusCode: http.StatusBadRequest,
+				},
+				{
+					d: "setting skip_logout_consent succeeds for admin registration",
+					payload: &client.Client{
+						RedirectURIs:      []string{"http://localhost:3000/cb"},
+						SkipLogoutConsent: sqlxx.NullBool{Bool: true, Valid: true},
+						Secret:            "2SKZkBf2P5g4toAXXnCrr~_sDM",
 					},
 					path:       client.ClientsHandlerPath,
 					statusCode: http.StatusCreated,

client/validator.go

@@ -207,6 +207,9 @@ func (v *Validator) ValidateDynamicRegistration(ctx context.Context, c *Client)
 	if c.SkipConsent {
 		return errorsx.WithStack(ErrInvalidRequest.WithDescription(`"skip_consent" cannot be set for dynamic client registration`))
 	}
+	if c.SkipLogoutConsent.Bool {
+		return errorsx.WithStack(ErrInvalidRequest.WithDescription(`"skip_logout_consent" cannot be set for dynamic client registration`))
+	}
 
 	return v.Validate(ctx, c)
 }

go.mod

@@ -44,7 +44,7 @@ require (
 	github.com/ory/hydra-client-go/v2 v2.1.1
 	github.com/ory/jsonschema/v3 v3.0.8
 	github.com/ory/kratos-client-go v0.13.1
-	github.com/ory/x v0.0.607
+	github.com/ory/x v0.0.612-0.20240130132700-6275e3f1ad0d
 	github.com/pborman/uuid v1.2.1
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.16.0
@@ -225,8 +225,8 @@ require (
 	github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
 	go.mongodb.org/mongo-driver v1.12.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 // indirect
-	go.opentelemetry.io/contrib/propagators/b3 v1.20.0 // indirect
-	go.opentelemetry.io/contrib/propagators/jaeger v1.20.0 // indirect
+	go.opentelemetry.io/contrib/propagators/b3 v1.21.0 // indirect
+	go.opentelemetry.io/contrib/propagators/jaeger v1.21.1 // indirect
 	go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1 // indirect
 	go.opentelemetry.io/otel/exporters/jaeger v1.17.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect

go.sum

@@ -601,8 +601,8 @@ github.com/ory/jsonschema/v3 v3.0.8 h1:Ssdb3eJ4lDZ/+XnGkvQS/te0p+EkolqwTsDOCxr/F
 github.com/ory/jsonschema/v3 v3.0.8/go.mod h1:ZPzqjDkwd3QTnb2Z6PAS+OTvBE2x5i6m25wCGx54W/0=
 github.com/ory/kratos-client-go v0.13.1 h1:o+pFV9ZRMFSBa4QeNJYbJeLz036UWU4p+7yfKghK+0E=
 github.com/ory/kratos-client-go v0.13.1/go.mod h1:hkrFJuHSBQw+qN6Ks0faOAYhAKwtpjvhCZzsQ7g/Ufc=
-github.com/ory/x v0.0.607 h1:qNP1gU6RWVtsEB04rPht+1rV2DqQhvOAN2sF+4eqVWo=
-github.com/ory/x v0.0.607/go.mod h1:fCYvVVHo8wYrCwLyU8+9hFY3IRo4EZM3KI30ysDsDYY=
+github.com/ory/x v0.0.612-0.20240130132700-6275e3f1ad0d h1:Kbt7Wj0vLSDSUcwGRvoqJVRtae8g4NCBe54t9XjOODc=
+github.com/ory/x v0.0.612-0.20240130132700-6275e3f1ad0d/go.mod h1:uH065puz8neija0neqwIN3PmXXfDsB9VbZTZ20Znoos=
 github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
 github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
@@ -767,10 +767,10 @@ go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.
 go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1/go.mod h1:GnOaBaFQ2we3b9AGWJpsBa7v1S5RlQzlC3O7dRMxZhM=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo=
-go.opentelemetry.io/contrib/propagators/b3 v1.20.0 h1:Yty9Vs4F3D6/liF1o6FNt0PvN85h/BJJ6DQKJ3nrcM0=
-go.opentelemetry.io/contrib/propagators/b3 v1.20.0/go.mod h1:On4VgbkqYL18kbJlWsa18+cMNe6rYpBnPi1ARI/BrsU=
-go.opentelemetry.io/contrib/propagators/jaeger v1.20.0 h1:iVhNKkMIpzyZqxk8jkDU2n4DFTD+FbpGacvooxEvyyc=
-go.opentelemetry.io/contrib/propagators/jaeger v1.20.0/go.mod h1:cpSABr0cm/AH/HhbJjn+AudBVUMgZWdfN3Gb+ZqxSZc=
+go.opentelemetry.io/contrib/propagators/b3 v1.21.0 h1:uGdgDPNzwQWRwCXJgw/7h29JaRqcq9B87Iv4hJDKAZw=
+go.opentelemetry.io/contrib/propagators/b3 v1.21.0/go.mod h1:D9GQXvVGT2pzyTfp1QBOnD1rzKEWzKjjwu5q2mslCUI=
+go.opentelemetry.io/contrib/propagators/jaeger v1.21.1 h1:f4beMGDKiVzg9IcX7/VuWVy+oGdjx3dNJ72YehmtY5k=
+go.opentelemetry.io/contrib/propagators/jaeger v1.21.1/go.mod h1:U9jhkEl8d1LL+QXY7q3kneJWJugiN3kZJV2OWz3hkBY=
 go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1 h1:Qb+5A+JbIjXwO7l4HkRUhgIn4Bzz0GNS2q+qdmSx+0c=
 go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1/go.mod h1:G4vNCm7fRk0kjZ6pGNLo5SpLxAUvOfSrcaegnT8TPck=
 go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc=
@@ -912,7 +912,6 @@ golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
 golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

internal/httpclient/api/openapi.yaml

@@ -2593,6 +2593,7 @@ components:
         sector_identifier_uri: sector_identifier_uri
         frontchannel_logout_session_required: true
         frontchannel_logout_uri: frontchannel_logout_uri
+        skip_logout_consent: true
         refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
         implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
         client_secret_expires_at: 0
@@ -2885,6 +2886,11 @@ components:
             SkipConsent skips the consent screen for this client. This field can only
             be set from the admin API.
           type: boolean
+        skip_logout_consent:
+          description: |-
+            SkipLogoutConsent skips the logout consent screen for this client. This field can only
+            be set from the admin API.
+          type: boolean
         subject_type:
           description: |-
             OpenID Connect Subject Type
@@ -3077,6 +3083,7 @@ components:
           sector_identifier_uri: sector_identifier_uri
           frontchannel_logout_session_required: true
           frontchannel_logout_uri: frontchannel_logout_uri
+          skip_logout_consent: true
           refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
           implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
           client_secret_expires_at: 0
@@ -3306,6 +3313,7 @@ components:
             sector_identifier_uri: sector_identifier_uri
             frontchannel_logout_session_required: true
             frontchannel_logout_uri: frontchannel_logout_uri
+            skip_logout_consent: true
             refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
             implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
             client_secret_expires_at: 0
@@ -3454,6 +3462,7 @@ components:
           sector_identifier_uri: sector_identifier_uri
           frontchannel_logout_session_required: true
           frontchannel_logout_uri: frontchannel_logout_uri
+          skip_logout_consent: true
           refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
           implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
           client_secret_expires_at: 0
@@ -3584,6 +3593,7 @@ components:
           sector_identifier_uri: sector_identifier_uri
           frontchannel_logout_session_required: true
           frontchannel_logout_uri: frontchannel_logout_uri
+          skip_logout_consent: true
           refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
           implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
           client_secret_expires_at: 0