feat: parse all id token claims into raw_claims (#2765)

All ID Token claims resulting from the Social Sign In flow are now available in `raw_claims` and can be used in the Social Sign In JsonNet Mapper.

Closes #2528

Author: pr1ze

selfservice/strategy/oidc/provider.go

@@ -22,27 +22,28 @@ type TokenExchanger interface {
 
 // ConvertibleBoolean is used as Apple casually sends the email_verified field as a string.
 type Claims struct {
-	Issuer              string               `json:"iss,omitempty"`
-	Subject             string               `json:"sub,omitempty"`
-	Name                string               `json:"name,omitempty"`
-	GivenName           string               `json:"given_name,omitempty"`
-	FamilyName          string               `json:"family_name,omitempty"`
-	LastName            string               `json:"last_name,omitempty"`
-	MiddleName          string               `json:"middle_name,omitempty"`
-	Nickname            string               `json:"nickname,omitempty"`
-	PreferredUsername   string               `json:"preferred_username,omitempty"`
-	Profile             string               `json:"profile,omitempty"`
-	Picture             string               `json:"picture,omitempty"`
-	Website             string               `json:"website,omitempty"`
-	Email               string               `json:"email,omitempty"`
-	EmailVerified       x.ConvertibleBoolean `json:"email_verified,omitempty"`
-	Gender              string               `json:"gender,omitempty"`
-	Birthdate           string               `json:"birthdate,omitempty"`
-	Zoneinfo            string               `json:"zoneinfo,omitempty"`
-	Locale              string               `json:"locale,omitempty"`
-	PhoneNumber         string               `json:"phone_number,omitempty"`
-	PhoneNumberVerified bool                 `json:"phone_number_verified,omitempty"`
-	UpdatedAt           int64                `json:"updated_at,omitempty"`
-	HD                  string               `json:"hd,omitempty"`
-	Team                string               `json:"team,omitempty"`
+	Issuer              string                 `json:"iss,omitempty"`
+	Subject             string                 `json:"sub,omitempty"`
+	Name                string                 `json:"name,omitempty"`
+	GivenName           string                 `json:"given_name,omitempty"`
+	FamilyName          string                 `json:"family_name,omitempty"`
+	LastName            string                 `json:"last_name,omitempty"`
+	MiddleName          string                 `json:"middle_name,omitempty"`
+	Nickname            string                 `json:"nickname,omitempty"`
+	PreferredUsername   string                 `json:"preferred_username,omitempty"`
+	Profile             string                 `json:"profile,omitempty"`
+	Picture             string                 `json:"picture,omitempty"`
+	Website             string                 `json:"website,omitempty"`
+	Email               string                 `json:"email,omitempty"`
+	EmailVerified       x.ConvertibleBoolean   `json:"email_verified,omitempty"`
+	Gender              string                 `json:"gender,omitempty"`
+	Birthdate           string                 `json:"birthdate,omitempty"`
+	Zoneinfo            string                 `json:"zoneinfo,omitempty"`
+	Locale              string                 `json:"locale,omitempty"`
+	PhoneNumber         string                 `json:"phone_number,omitempty"`
+	PhoneNumberVerified bool                   `json:"phone_number_verified,omitempty"`
+	UpdatedAt           int64                  `json:"updated_at,omitempty"`
+	HD                  string                 `json:"hd,omitempty"`
+	Team                string                 `json:"team,omitempty"`
+	RawClaims           map[string]interface{} `json:"raw_claims,omitempty"`
 }

selfservice/strategy/oidc/provider_generic_oidc.go

@@ -95,6 +95,12 @@ func (g *ProviderGenericOIDC) verifyAndDecodeClaimsWithProvider(ctx context.Cont
 		return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("%s", err))
 	}
 
+	var rawClaims map[string]interface{}
+	if err := token.Claims(&rawClaims); err != nil {
+		return nil, errors.WithStack(herodot.ErrBadRequest.WithReasonf("%s", err))
+	}
+	claims.RawClaims = rawClaims
+
 	return &claims, nil
 }
 

selfservice/strategy/oidc/strategy_helper_test.go

@@ -37,6 +37,7 @@ import (
 type idTokenClaims struct {
 	traits struct {
 		website string
+		groups  []string
 	}
 	metadataPublic struct {
 		picture string
@@ -46,6 +47,29 @@ type idTokenClaims struct {
 	}
 }
 
+func (token *idTokenClaims) MarshalJSON() ([]byte, error) {
+	return json.Marshal(struct {
+		IdToken struct {
+			Website     string   `json:"website,omitempty"`
+			Groups      []string `json:"groups,omitempty"`
+			Picture     string   `json:"picture,omitempty"`
+			PhoneNumber string   `json:"phone_number,omitempty"`
+		} `json:"id_token"`
+	}{
+		IdToken: struct {
+			Website     string   `json:"website,omitempty"`
+			Groups      []string `json:"groups,omitempty"`
+			Picture     string   `json:"picture,omitempty"`
+			PhoneNumber string   `json:"phone_number,omitempty"`
+		}{
+			Website:     token.traits.website,
+			Groups:      token.traits.groups,
+			Picture:     token.metadataPublic.picture,
+			PhoneNumber: token.metadataAdmin.phoneNumber,
+		},
+	})
+}
+
 func createClient(t *testing.T, remote string, redir, id string) {
 	require.NoError(t, resilience.Retry(logrusx.New("", ""), time.Second*10, time.Minute*2, func() error {
 		if req, err := http.NewRequest("DELETE", remote+"/clients/"+id, nil); err != nil {
@@ -137,8 +161,9 @@ func newHydraIntegration(t *testing.T, remote *string, subject *string, claims *
 		require.NotEmpty(t, challenge)
 
 		var b bytes.Buffer
-		var msg = `{"id_token":{"website":"` + claims.traits.website + `","picture":"` + *&claims.metadataPublic.picture + `","phone_number":"` + *&claims.metadataAdmin.phoneNumber + `"}}`
-		require.NoError(t, json.NewEncoder(&b).Encode(&p{GrantScope: *scope, Session: json.RawMessage(msg)}))
+		msg, err := json.Marshal(claims)
+		require.NoError(t, err)
+		require.NoError(t, json.NewEncoder(&b).Encode(&p{GrantScope: *scope, Session: msg}))
 		href := urlx.MustJoin(*remote, "/oauth2/auth/requests/consent/accept") + "?consent_challenge=" + challenge
 		do(w, r, href, &b)
 	})

selfservice/strategy/oidc/strategy_test.go

@@ -452,6 +452,7 @@ func TestStrategy(t *testing.T) {
 		scope = []string{"openid"}
 		claims = idTokenClaims{}
 		claims.traits.website = "https://www.ory.sh/kratos"
+		claims.traits.groups = []string{"group1", "group2"}
 		claims.metadataPublic.picture = "picture.png"
 		claims.metadataAdmin.phoneNumber = "911"
 
@@ -474,6 +475,7 @@ func TestStrategy(t *testing.T) {
 			ai(t, res, body)
 			assert.Equal(t, "https://www.ory.sh/kratos", gjson.GetBytes(body, "identity.traits.website").String(), "%s", body)
 			assert.Equal(t, "valid-name", gjson.GetBytes(body, "identity.traits.name").String(), "%s", body)
+			assert.Equal(t, "[\"group1\",\"group2\"]", gjson.GetBytes(body, "identity.traits.groups").String(), "%s", body)
 		})
 	})
 

selfservice/strategy/oidc/stub/oidc.hydra.jsonnet

@@ -8,6 +8,7 @@ else
       traits: {
         subject: claims.sub,
         [if "website" in claims then "website" else null]: claims.website,
+        [if "groups" in claims.raw_claims then "groups" else null]: claims.raw_claims.groups,
       },
       metadata_public: {
         [if "picture" in claims then "picture" else null]: claims.picture,

selfservice/strategy/oidc/stub/registration.schema.json

@@ -25,6 +25,12 @@
         "website": {
           "type": "string",
           "format": "uri"
+        },
+        "groups": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
         }
       },
       "required": [