fix: upgrade fosite and improve webhook integration (#3727)

go.mod

@@ -31,7 +31,7 @@ require (
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
 	github.com/oleiade/reflections v1.0.1
 	github.com/ory/analytics-go/v5 v5.0.1
-	github.com/ory/fosite v0.44.1-0.20231218095112-ac9ae4bd99d7
+	github.com/ory/fosite v0.46.1
 	github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe
 	github.com/ory/graceful v0.1.3
 	github.com/ory/herodot v0.10.3-0.20230626083119-d7e5192f0d88

go.sum

@@ -623,8 +623,8 @@ github.com/ory/analytics-go/v5 v5.0.1 h1:LX8T5B9FN8KZXOtxgN+R3I4THRRVB6+28IKgKBp
 github.com/ory/analytics-go/v5 v5.0.1/go.mod h1:lWCiCjAaJkKfgR/BN5DCLMol8BjKS1x+4jxBxff/FF0=
 github.com/ory/dockertest/v3 v3.10.0 h1:4K3z2VMe8Woe++invjaTB7VRyQXQy5UY+loujO4aNE4=
 github.com/ory/dockertest/v3 v3.10.0/go.mod h1:nr57ZbRWMqfsdGdFNLHz5jjNdDb7VVFnzAeW1n5N1Lg=
-github.com/ory/fosite v0.44.1-0.20231218095112-ac9ae4bd99d7 h1:EZEUk9sdC9cIKSqXipBz4eO84byOLLeVUnptgX7QFvM=
-github.com/ory/fosite v0.44.1-0.20231218095112-ac9ae4bd99d7/go.mod h1:fkMPsnm/UjiefE9dE9CdZQGOH48TWJLIzUcdGIXg8Kk=
+github.com/ory/fosite v0.46.1 h1:VC8h83cbWx7K5r/VToDldSC+317sKFqJjLOPB4Ns4AY=
+github.com/ory/fosite v0.46.1/go.mod h1:fkMPsnm/UjiefE9dE9CdZQGOH48TWJLIzUcdGIXg8Kk=
 github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe h1:rvu4obdvqR0fkSIJ8IfgzKOWwZ5kOT2UNfLq81Qk7rc=
 github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe/go.mod h1:z4n3u6as84LbV4YmgjHhnwtccQqzf4cZlSk9f1FhygI=
 github.com/ory/go-convenience v0.1.0 h1:zouLKfF2GoSGnJwGq+PE/nJAE6dj2Zj5QlTgmMTsTS8=

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=0-description=should_pass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -44,6 +44,10 @@
     "grant_types": [
       "refresh_token"
     ],
-    "payload": {}
+    "payload": {
+      "grant_type": [
+        "refresh_token"
+      ]
+    }
   }
 }

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=2-description=should_pass_because_prompt=none_and_max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -44,6 +44,10 @@
     "grant_types": [
       "refresh_token"
     ],
-    "payload": {}
+    "payload": {
+      "grant_type": [
+        "refresh_token"
+      ]
+    }
   }
 }

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=5-description=should_pass_with_prompt=login_when_authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -44,6 +44,10 @@
     "grant_types": [
       "refresh_token"
     ],
-    "payload": {}
+    "payload": {
+      "grant_type": [
+        "refresh_token"
+      ]
+    }
   }
 }

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=0-description=should_pass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -44,6 +44,10 @@
     "grant_types": [
       "refresh_token"
     ],
-    "payload": {}
+    "payload": {
+      "grant_type": [
+        "refresh_token"
+      ]
+    }
   }
 }

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=2-description=should_pass_because_prompt=none_and_max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -44,6 +44,10 @@
     "grant_types": [
       "refresh_token"
     ],
-    "payload": {}
+    "payload": {
+      "grant_type": [
+        "refresh_token"
+      ]
+    }
   }
 }

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=5-description=should_pass_with_prompt=login_when_authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -44,6 +44,10 @@
     "grant_types": [
       "refresh_token"
     ],
-    "payload": {}
+    "payload": {
+      "grant_type": [
+        "refresh_token"
+      ]
+    }
   }
 }

oauth2/oauth2_auth_code_test.go

@@ -981,10 +981,10 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 					var hookReq hydraoauth2.TokenHookRequest
 					require.NoError(t, json.NewDecoder(r.Body).Decode(&hookReq))
 					require.NotEmpty(t, hookReq.Session)
-					require.Equal(t, hookReq.Session.Extra, map[string]interface{}{"foo": "bar"})
+					require.Equal(t, map[string]interface{}{"foo": "bar"}, hookReq.Session.Extra)
 					require.NotEmpty(t, hookReq.Request)
-					require.ElementsMatch(t, hookReq.Request.GrantedAudience, []string{})
-					require.Equal(t, hookReq.Request.Payload, map[string][]string{})
+					require.ElementsMatch(t, []string{}, hookReq.Request.GrantedAudience)
+					require.Equal(t, map[string][]string{"grant_type": {"authorization_code"}}, hookReq.Request.Payload)
 
 					claims := map[string]interface{}{
 						"hooked": true,
@@ -1667,7 +1667,7 @@ func TestAuthCodeWithMockStrategy(t *testing.T) {
 										require.Equal(t, hookReq.Request.ClientID, oauthConfig.ClientID)
 										require.ElementsMatch(t, hookReq.Request.GrantedScopes, expectedGrantedScopes)
 										require.ElementsMatch(t, hookReq.Request.GrantedAudience, []string{})
-										require.Equal(t, hookReq.Request.Payload, map[string][]string{})
+										require.Equal(t, hookReq.Request.Payload, map[string][]string{"grant_type": {"refresh_token"}})
 
 										snapshotx.SnapshotT(t, hookReq, snapshotx.ExceptPaths(exceptKeys...))
 									}

oauth2/oauth2_client_credentials_test.go

@@ -268,7 +268,10 @@ func TestClientCredentials(t *testing.T) {
 					require.NotEmpty(t, hookReq.Request)
 					require.ElementsMatch(t, hookReq.Request.GrantedScopes, expectedGrantedScopes)
 					require.ElementsMatch(t, hookReq.Request.GrantedAudience, expectedGrantedAudience)
-					require.Equal(t, hookReq.Request.Payload, map[string][]string{})
+					require.Equal(t, hookReq.Request.Payload, map[string][]string{
+						"grant_type": {"client_credentials"},
+						"scope":      {"foobar"},
+					})
 
 					claims := map[string]interface{}{
 						"hooked": true,

oauth2/oauth2_jwt_bearer_test.go

@@ -326,7 +326,11 @@ func TestJWTBearer(t *testing.T) {
 
 					expectedGrantedScopes := []string{client.Scope}
 					expectedGrantedAudience := []string{audience}
-					expectedPayload := map[string][]string(map[string][]string{"assertion": {token}})
+					expectedPayload := map[string][]string{
+						"assertion":  {token},
+						"grant_type": {"urn:ietf:params:oauth:grant-type:jwt-bearer"},
+						"scope":      {"offline_access"},
+					}
 
 					var hookReq hydraoauth2.TokenHookRequest
 					require.NoError(t, json.NewDecoder(r.Body).Decode(&hookReq))
@@ -335,7 +339,7 @@ func TestJWTBearer(t *testing.T) {
 					require.NotEmpty(t, hookReq.Request)
 					require.ElementsMatch(t, hookReq.Request.GrantedScopes, expectedGrantedScopes)
 					require.ElementsMatch(t, hookReq.Request.GrantedAudience, expectedGrantedAudience)
-					require.Equal(t, hookReq.Request.Payload, expectedPayload)
+					require.Equal(t, expectedPayload, hookReq.Request.Payload)
 
 					claims := map[string]interface{}{
 						"hooked": true,
@@ -401,7 +405,12 @@ func TestJWTBearer(t *testing.T) {
 
 					expectedGrantedScopes := []string{client.Scope}
 					expectedGrantedAudience := []string{audience}
-					expectedPayload := map[string][]string(map[string][]string{"assertion": {token}})
+					expectedPayload := map[string][]string{
+						"assertion":  {token},
+						"client_id":  {client.GetID()},
+						"grant_type": {"urn:ietf:params:oauth:grant-type:jwt-bearer"},
+						"scope":      {"offline_access"},
+					}
 
 					var hookReq hydraoauth2.TokenHookRequest
 					require.NoError(t, json.NewDecoder(r.Body).Decode(&hookReq))