fix: support Auth0 connection url parameter (PS-28)

embedx/config.schema.json

@@ -539,6 +539,11 @@
             "type": "string",
             "examples": ["12345678-1234-1234-1234-123456789012"]
           }
+        },
+        "upstream_parameters": {
+          "title": "Parameters to be passed to OIDC provider as part of auth code URL",
+          "type": "object",
+          "additionalProperties": true
         }
       },
       "additionalProperties": false,

selfservice/strategy/oidc/provider.go

@@ -20,7 +20,7 @@ type Provider interface {
 	Config() *Configuration
 	OAuth2(ctx context.Context) (*oauth2.Config, error)
 	Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error)
-	AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption
+	AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error)
 }
 
 type TokenExchanger interface {

selfservice/strategy/oidc/provider_apple.go

@@ -90,7 +90,7 @@ func (a *ProviderApple) OAuth2(ctx context.Context) (*oauth2.Config, error) {
 	return a.oauth2(ctx)
 }
 
-func (a *ProviderApple) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
+func (a *ProviderApple) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
 	var options []oauth2.AuthCodeOption
 
 	if isForced(r) {
@@ -109,7 +109,7 @@ func (a *ProviderApple) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
 		}
 	}
 
-	return options
+	return options, nil
 }
 
 func (a *ProviderApple) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error) {

selfservice/strategy/oidc/provider_config.go

@@ -112,6 +112,9 @@ type Configuration struct {
 	// AdditionalIDTokenAudiences is a list of additional audiences allowed in the ID Token.
 	// This is only relevant in OIDC flows that submit an IDToken instead of using the callback from the OIDC provider.
 	AdditionalIDTokenAudiences []string `json:"additional_id_token_audiences"`
+
+	// Parameters to be passed to OIDC provider as part of auth code URL
+	UpstreamParameters json.RawMessage `json:"upstream_parameters"`
 }
 
 func (p Configuration) Redir(public *url.URL) string {

selfservice/strategy/oidc/provider_dingtalk.go

@@ -55,10 +55,10 @@ func (g *ProviderDingTalk) oauth2(ctx context.Context) *oauth2.Config {
 	}
 }
 
-func (g *ProviderDingTalk) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
+func (g *ProviderDingTalk) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
 	return []oauth2.AuthCodeOption{
 		oauth2.SetAuthURLParam("prompt", "consent"),
-	}
+	}, nil
 }
 
 func (g *ProviderDingTalk) OAuth2(ctx context.Context) (*oauth2.Config, error) {

selfservice/strategy/oidc/provider_discord.go

@@ -55,15 +55,15 @@ func (d *ProviderDiscord) OAuth2(ctx context.Context) (*oauth2.Config, error) {
 	return d.oauth2(ctx), nil
 }
 
-func (d *ProviderDiscord) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
+func (d *ProviderDiscord) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
 	if isForced(r) {
 		return []oauth2.AuthCodeOption{
 			oauth2.SetAuthURLParam("prompt", "consent"),
-		}
+		}, nil
 	}
 	return []oauth2.AuthCodeOption{
 		oauth2.SetAuthURLParam("prompt", "none"),
-	}
+	}, nil
 }
 
 func (d *ProviderDiscord) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error) {

selfservice/strategy/oidc/provider_generic_oidc.go

@@ -5,6 +5,7 @@ package oidc
 
 import (
 	"context"
+	"encoding/json"
 	"net/url"
 
 	"github.com/pkg/errors"
@@ -74,7 +75,7 @@ func (g *ProviderGenericOIDC) OAuth2(ctx context.Context) (*oauth2.Config, error
 	return g.oauth2ConfigFromEndpoint(ctx, endpoint), nil
 }
 
-func (g *ProviderGenericOIDC) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
+func (g *ProviderGenericOIDC) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
 	var options []oauth2.AuthCodeOption
 
 	if isForced(r) {
@@ -84,7 +85,17 @@ func (g *ProviderGenericOIDC) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption
 		options = append(options, oauth2.SetAuthURLParam("claims", string(g.config.RequestedClaims)))
 	}
 
-	return options
+	if len(g.config.UpstreamParameters) != 0 {
+		var params map[string]string
+		if err := json.Unmarshal(g.config.UpstreamParameters, &params); err != nil {
+			return nil, err
+		}
+		for key, value := range params {
+			options = append(options, oauth2.SetAuthURLParam(key, value))
+		}
+	}
+
+	return options, nil
 }
 
 func (g *ProviderGenericOIDC) verifyAndDecodeClaimsWithProvider(ctx context.Context, provider *gooidc.Provider, raw string) (*Claims, error) {

selfservice/strategy/oidc/provider_generic_test.go

@@ -37,17 +37,20 @@ func makeOIDCClaims() json.RawMessage {
 
 func makeAuthCodeURL(t *testing.T, r *login.Flow, reg *driver.RegistryDefault) string {
 	p := oidc.NewProviderGenericOIDC(&oidc.Configuration{
-		Provider:        "generic",
-		ID:              "valid",
-		ClientID:        "client",
-		ClientSecret:    "secret",
-		IssuerURL:       "https://accounts.google.com",
-		Mapper:          "file://./stub/hydra.schema.json",
-		RequestedClaims: makeOIDCClaims(),
+		Provider:           "generic",
+		ID:                 "valid",
+		ClientID:           "client",
+		ClientSecret:       "secret",
+		IssuerURL:          "https://accounts.google.com",
+		Mapper:             "file://./stub/hydra.schema.json",
+		RequestedClaims:    makeOIDCClaims(),
+		UpstreamParameters: json.RawMessage(`{"connection": "c1"}`),
 	}, reg)
 	c, err := p.OAuth2(context.Background())
 	require.NoError(t, err)
-	return c.AuthCodeURL("state", p.AuthCodeURLOptions(r)...)
+	options, err := p.AuthCodeURLOptions(r)
+	require.NoError(t, err)
+	return c.AuthCodeURL("state", options...)
 }
 
 func TestProviderGenericOIDC_AddAuthCodeURLOptions(t *testing.T) {
@@ -93,4 +96,11 @@ func TestProviderGenericOIDC_AddAuthCodeURLOptions(t *testing.T) {
 		}
 		assert.Contains(t, makeAuthCodeURL(t, r, reg), "claims="+url.QueryEscape(string(makeOIDCClaims())))
 	})
+
+	t.Run("case=expect connection to be set", func(t *testing.T) {
+		r := &login.Flow{
+			ID: x.NewUUID(),
+		}
+		assert.Contains(t, makeAuthCodeURL(t, r, reg), "connection=c1")
+	})
 }

selfservice/strategy/oidc/provider_github.go

@@ -56,8 +56,8 @@ func (g *ProviderGitHub) OAuth2(ctx context.Context) (*oauth2.Config, error) {
 	return g.oauth2(ctx), nil
 }
 
-func (g *ProviderGitHub) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
-	return []oauth2.AuthCodeOption{}
+func (g *ProviderGitHub) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
+	return []oauth2.AuthCodeOption{}, nil
 }
 
 func (g *ProviderGitHub) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error) {

selfservice/strategy/oidc/provider_github_app.go

@@ -53,8 +53,8 @@ func (g *ProviderGitHubApp) OAuth2(ctx context.Context) (*oauth2.Config, error)
 	return g.oauth2(ctx), nil
 }
 
-func (g *ProviderGitHubApp) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
-	return []oauth2.AuthCodeOption{}
+func (g *ProviderGitHubApp) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
+	return []oauth2.AuthCodeOption{}, nil
 }
 
 func (g *ProviderGitHubApp) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error) {

selfservice/strategy/oidc/provider_google.go

@@ -58,15 +58,18 @@ func (g *ProviderGoogle) OAuth2(ctx context.Context) (*oauth2.Config, error) {
 	return g.oauth2ConfigFromEndpoint(ctx, endpoint), nil
 }
 
-func (g *ProviderGoogle) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
+func (g *ProviderGoogle) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
 	scope := g.config.Scope
-	options := g.ProviderGenericOIDC.AuthCodeURLOptions(r)
+	options, err := g.ProviderGenericOIDC.AuthCodeURLOptions(r)
+	if err != nil {
+		return nil, err
+	}
 
 	if stringslice.Has(scope, gooidc.ScopeOfflineAccess) {
 		options = append(options, oauth2.AccessTypeOffline)
 	}
 
-	return options
+	return options, nil
 }
 
 var _ IDTokenVerifier = new(ProviderGoogle)

selfservice/strategy/oidc/provider_google_test.go

@@ -55,7 +55,8 @@ func TestProviderGoogle_AccessType(t *testing.T) {
 		ID: x.NewUUID(),
 	}
 
-	options := p.AuthCodeURLOptions(r)
+	options, err := p.AuthCodeURLOptions(r)
+	require.NoError(t, err)
 	assert.Contains(t, options, oauth2.AccessTypeOffline)
 }
 

selfservice/strategy/oidc/provider_lark.go

@@ -112,6 +112,6 @@ func (g *ProviderLark) Claims(ctx context.Context, exchange *oauth2.Token, query
 	}, nil
 }
 
-func (pl *ProviderLark) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
-	return []oauth2.AuthCodeOption{}
+func (pl *ProviderLark) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
+	return []oauth2.AuthCodeOption{}, nil
 }

selfservice/strategy/oidc/provider_linkedin.go

@@ -96,8 +96,8 @@ func (l *ProviderLinkedIn) OAuth2(ctx context.Context) (*oauth2.Config, error) {
 	return l.oauth2(ctx), nil
 }
 
-func (l *ProviderLinkedIn) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
-	return []oauth2.AuthCodeOption{}
+func (l *ProviderLinkedIn) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
+	return []oauth2.AuthCodeOption{}, nil
 }
 
 func (l *ProviderLinkedIn) fetch(ctx context.Context, client *retryablehttp.Client, url string, result interface{}) (err error) {

selfservice/strategy/oidc/provider_patreon.go

@@ -68,15 +68,15 @@ func (d *ProviderPatreon) OAuth2(ctx context.Context) (*oauth2.Config, error) {
 	return d.oauth2(ctx), nil
 }
 
-func (d *ProviderPatreon) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
+func (d *ProviderPatreon) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
 	if isForced(r) {
 		return []oauth2.AuthCodeOption{
 			oauth2.SetAuthURLParam("prompt", "consent"),
-		}
+		}, nil
 	}
 	return []oauth2.AuthCodeOption{
 		oauth2.SetAuthURLParam("prompt", "none"),
-	}
+	}, nil
 }
 
 func (d *ProviderPatreon) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error) {

selfservice/strategy/oidc/provider_slack.go

@@ -57,8 +57,8 @@ func (d *ProviderSlack) OAuth2(ctx context.Context) (*oauth2.Config, error) {
 	return d.oauth2(ctx), nil
 }
 
-func (d *ProviderSlack) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
-	return []oauth2.AuthCodeOption{}
+func (d *ProviderSlack) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
+	return []oauth2.AuthCodeOption{}, nil
 }
 
 func (d *ProviderSlack) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error) {

selfservice/strategy/oidc/provider_spotify.go

@@ -56,8 +56,8 @@ func (g *ProviderSpotify) OAuth2(ctx context.Context) (*oauth2.Config, error) {
 	return g.oauth2(ctx), nil
 }
 
-func (g *ProviderSpotify) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
-	return []oauth2.AuthCodeOption{}
+func (g *ProviderSpotify) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
+	return []oauth2.AuthCodeOption{}, nil
 }
 
 func (g *ProviderSpotify) Claims(ctx context.Context, exchange *oauth2.Token, query url.Values) (*Claims, error) {

selfservice/strategy/oidc/provider_vk.go

@@ -51,8 +51,8 @@ func (g *ProviderVK) oauth2(ctx context.Context) *oauth2.Config {
 	}
 }
 
-func (g *ProviderVK) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
-	return []oauth2.AuthCodeOption{}
+func (g *ProviderVK) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
+	return []oauth2.AuthCodeOption{}, nil
 }
 
 func (g *ProviderVK) OAuth2(ctx context.Context) (*oauth2.Config, error) {

selfservice/strategy/oidc/provider_yandex.go

@@ -49,8 +49,8 @@ func (g *ProviderYandex) oauth2(ctx context.Context) *oauth2.Config {
 	}
 }
 
-func (g *ProviderYandex) AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption {
-	return []oauth2.AuthCodeOption{}
+func (g *ProviderYandex) AuthCodeURLOptions(r ider) ([]oauth2.AuthCodeOption, error) {
+	return []oauth2.AuthCodeOption{}, nil
 }
 
 func (g *ProviderYandex) OAuth2(ctx context.Context) (*oauth2.Config, error) {

selfservice/strategy/oidc/strategy_login.go

@@ -276,7 +276,11 @@ func (s *Strategy) Login(w http.ResponseWriter, r *http.Request, f *login.Flow,
 		return nil, err
 	}
 
-	codeURL := c.AuthCodeURL(state.String(), append(UpstreamParameters(provider, up), provider.AuthCodeURLOptions(req)...)...)
+	options, err := provider.AuthCodeURLOptions(req)
+	if err != nil {
+		return nil, s.handleError(w, r, f, pid, nil, err)
+	}
+	codeURL := c.AuthCodeURL(state.String(), append(UpstreamParameters(provider, up), options...)...)
 	if x.IsJSONRequest(r) {
 		s.d.Writer().WriteError(w, r, flow.NewBrowserLocationChangeRequiredError(codeURL))
 	} else {

selfservice/strategy/oidc/strategy_registration.go

@@ -240,7 +240,11 @@ func (s *Strategy) Register(w http.ResponseWriter, r *http.Request, f *registrat
 		return err
 	}
 
-	codeURL := c.AuthCodeURL(state.String(), append(UpstreamParameters(provider, up), provider.AuthCodeURLOptions(req)...)...)
+	options, err := provider.AuthCodeURLOptions(req)
+	if err != nil {
+		return s.handleError(w, r, f, pid, nil, err)
+	}
+	codeURL := c.AuthCodeURL(state.String(), append(UpstreamParameters(provider, up), options...)...)
 	if x.IsJSONRequest(r) {
 		s.d.Writer().WriteError(w, r, flow.NewBrowserLocationChangeRequiredError(codeURL))
 	} else {

selfservice/strategy/oidc/strategy_settings.go

@@ -379,7 +379,11 @@ func (s *Strategy) initLinkProvider(w http.ResponseWriter, r *http.Request, ctxU
 		return err
 	}
 
-	codeURL := c.AuthCodeURL(state, append(UpstreamParameters(provider, up), provider.AuthCodeURLOptions(req)...)...)
+	options, err := provider.AuthCodeURLOptions(req)
+	if err != nil {
+		return s.handleSettingsError(w, r, ctxUpdate, p, err)
+	}
+	codeURL := c.AuthCodeURL(state, append(UpstreamParameters(provider, up), options...)...)
 	if x.IsJSONRequest(r) {
 		s.d.Writer().WriteError(w, r, flow.NewBrowserLocationChangeRequiredError(codeURL))
 	} else {