Merge branch 'master' into fix-refresh-scope-narrowing

.github/ISSUE_TEMPLATE/BUG-REPORT.yml

@@ -12,27 +12,26 @@ body:
   - attributes:
       label: "Preflight checklist"
       options:
-        - label:
-            "I could not find a solution in the existing issues, docs, nor
+        - label: "I could not find a solution in the existing issues, docs, nor
             discussions."
           required: true
-        - label:
-            "I agree to follow this project's [Code of
+        - label: "I agree to follow this project's [Code of
             Conduct](https://github.com/ory/fosite/blob/master/CODE_OF_CONDUCT.md)."
           required: true
-        - label:
-            "I have read and am following this repository's [Contribution
+        - label: "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/fosite/blob/master/CONTRIBUTING.md)."
           required: true
-        - label:
-            "This issue affects my [Ory Network](https://www.ory.sh/) project."
-        - label:
-            "I have joined the [Ory Community Slack](https://slack.ory.sh)."
-        - label:
-            "I am signed up to the [Ory Security Patch
+        - label: "I have joined the [Ory Community Slack](https://slack.ory.sh)."
+        - label: "I am signed up to the [Ory Security Patch
             Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
     id: checklist
     type: checkboxes
+  - attributes:
+      description: "Enter the slug or API URL of the affected Ory Network project. Leave empty when you are self-hosting."
+      label: "Ory Network Project"
+      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+    id: ory-network-project
+    type: input
   - attributes:
       description: "A clear and concise description of what the bug is."
       label: "Describe the bug"
@@ -56,8 +55,7 @@ body:
     validations:
       required: true
   - attributes:
-      description:
-        "Please copy and paste any relevant log output. This will be
+      description: "Please copy and paste any relevant log output. This will be
         automatically formatted into code, so no need for backticks. Please
         redact any sensitive information"
       label: "Relevant log output"

.github/ISSUE_TEMPLATE/DESIGN-DOC.yml

@@ -1,8 +1,7 @@
 # AUTO-GENERATED, DO NOT EDIT!
 # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml
 
-description:
-  "A design document is needed for non-trivial changes to the code base."
+description: "A design document is needed for non-trivial changes to the code base."
 labels:
   - rfc
 name: "Design Document"
@@ -23,27 +22,26 @@ body:
   - attributes:
       label: "Preflight checklist"
       options:
-        - label:
-            "I could not find a solution in the existing issues, docs, nor
+        - label: "I could not find a solution in the existing issues, docs, nor
             discussions."
           required: true
-        - label:
-            "I agree to follow this project's [Code of
+        - label: "I agree to follow this project's [Code of
             Conduct](https://github.com/ory/fosite/blob/master/CODE_OF_CONDUCT.md)."
           required: true
-        - label:
-            "I have read and am following this repository's [Contribution
+        - label: "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/fosite/blob/master/CONTRIBUTING.md)."
           required: true
-        - label:
-            "This issue affects my [Ory Network](https://www.ory.sh/) project."
-        - label:
-            "I have joined the [Ory Community Slack](https://slack.ory.sh)."
-        - label:
-            "I am signed up to the [Ory Security Patch
+        - label: "I have joined the [Ory Community Slack](https://slack.ory.sh)."
+        - label: "I am signed up to the [Ory Security Patch
             Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
     id: checklist
     type: checkboxes
+  - attributes:
+      description: "Enter the slug or API URL of the affected Ory Network project. Leave empty when you are self-hosting."
+      label: "Ory Network Project"
+      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+    id: ory-network-project
+    type: input
   - attributes:
       description: |
         This section gives the reader a very rough overview of the landscape in which the new system is being built and what is actually being built. This isn’t a requirements doc. Keep it succinct! The goal is that readers are brought up to speed but some previous knowledge can be assumed and detailed info can be linked to. This section should be entirely focused on objective background facts.

.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml

@@ -1,8 +1,7 @@
 # AUTO-GENERATED, DO NOT EDIT!
 # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml
 
-description:
-  "Suggest an idea for this project without a plan for implementation"
+description: "Suggest an idea for this project without a plan for implementation"
 labels:
   - feat
 name: "Feature Request"
@@ -16,30 +15,28 @@ body:
   - attributes:
       label: "Preflight checklist"
       options:
-        - label:
-            "I could not find a solution in the existing issues, docs, nor
+        - label: "I could not find a solution in the existing issues, docs, nor
             discussions."
           required: true
-        - label:
-            "I agree to follow this project's [Code of
+        - label: "I agree to follow this project's [Code of
             Conduct](https://github.com/ory/fosite/blob/master/CODE_OF_CONDUCT.md)."
           required: true
-        - label:
-            "I have read and am following this repository's [Contribution
+        - label: "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/fosite/blob/master/CONTRIBUTING.md)."
           required: true
-        - label:
-            "This issue affects my [Ory Network](https://www.ory.sh/) project."
-        - label:
-            "I have joined the [Ory Community Slack](https://slack.ory.sh)."
-        - label:
-            "I am signed up to the [Ory Security Patch
+        - label: "I have joined the [Ory Community Slack](https://slack.ory.sh)."
+        - label: "I am signed up to the [Ory Security Patch
             Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
     id: checklist
     type: checkboxes
   - attributes:
-      description:
-        "Is your feature request related to a problem? Please describe."
+      description: "Enter the slug or API URL of the affected Ory Network project. Leave empty when you are self-hosting."
+      label: "Ory Network Project"
+      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+    id: ory-network-project
+    type: input
+  - attributes:
+      description: "Is your feature request related to a problem? Please describe."
       label: "Describe your problem"
       placeholder:
         "A clear and concise description of what the problem is. Ex. I'm always
@@ -73,8 +70,7 @@ body:
     validations:
       required: true
   - attributes:
-      description:
-        "Add any other context or screenshots about the feature request here."
+      description: "Add any other context or screenshots about the feature request here."
       label: Additional Context
     id: additional
     type: textarea

.github/ISSUE_TEMPLATE/config.yml

@@ -5,10 +5,8 @@ blank_issues_enabled: false
 contact_links:
   - name: Ory Fosite Forum
     url: https://github.com/orgs/ory/discussions
-    about:
-      Please ask and answer questions here, show your implementations and
+    about: Please ask and answer questions here, show your implementations and
       discuss ideas.
   - name: Ory Chat
     url: https://www.ory.sh/chat
-    about:
-      Hang out with other Ory community members to ask and answer questions.
+    about: Hang out with other Ory community members to ask and answer questions.

.github/workflows/format.yml

@@ -11,7 +11,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
         with:
-          go-version: 1.19
+          go-version: "1.21"
       - run: make format
       - name: Indicate formatting issues
         run: git diff HEAD --exit-code --color

.github/workflows/licenses.yml

@@ -14,7 +14,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
         with:
-          go-version: "1.18"
+          go-version: "1.21"
       - uses: actions/setup-node@v2
         with:
           node-version: "18"

.github/workflows/oidc-conformity-master.yml

@@ -17,7 +17,7 @@ jobs:
           ref: master
       - uses: actions/setup-go@v2
         with:
-          go-version: "^1.19.0"
+          go-version: "1.21"
       - name: Update fosite
         run: |
           go mod edit -replace github.com/ory/fosite=github.com/ory/fosite@${{ github.sha }}

.github/workflows/oidc-conformity.yml

@@ -17,7 +17,7 @@ jobs:
           ref: master
       - uses: actions/setup-go@v2
         with:
-          go-version: "^1.19.0"
+          go-version: "1.21"
       - name: Update fosite
         run: |
           go mod edit -replace github.com/ory/fosite=github.com/${{ github.event.pull_request.head.repo.full_name }}@${{ github.event.pull_request.head.sha }}

.github/workflows/test.yml

@@ -11,5 +11,5 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
         with:
-          go-version: 1.19
+          go-version: "1.21"
       - run: make test

CODE_OF_CONDUCT.md

@@ -39,6 +39,16 @@ Examples of unacceptable behavior include:
 - Other conduct which could reasonably be considered inappropriate in a
   professional setting
 
+## Open Source Community Support
+
+Ory Open source software is collaborative and based on contributions by
+developers in the Ory community. There is no obligation from Ory to help with
+individual problems. If Ory open source software is used in production in a
+for-profit company or enterprise environment, we mandate a paid support contract
+where Ory is obligated under their service level agreements (SLAs) to offer a
+defined level of availability and responsibility. For more information about
+paid support please contact us at [email protected].
+
 ## Enforcement Responsibilities
 
 Community leaders are responsible for clarifying and enforcing our standards of

HISTORY.md

@@ -1,7 +1,7 @@
 **THIS DOCUMENT HAS MOVED**
 
 This file is no longer being updated and kept for historical reasons. Please
-check the [CHANGELOG](changelog.md) instead!
+check the [CHANGELOG](CHANGELOG.md) instead!
 
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->

README.md

@@ -315,10 +315,11 @@ panic("unable to create private key")
 // check the api docs of fosite.Config for further configuration options
 var config = &fosite.Config{
 	AccessTokenLifespan: time.Minute * 30,
+	GlobalSecret: secret,
 	// ...
 }
 
-var oauth2Provider = compose.ComposeAllEnabled(config, storage, secret, privateKey)
+var oauth2Provider = compose.ComposeAllEnabled(config, storage, privateKey)
 
 // The authorize endpoint is usually at "https://mydomain.com/oauth2/auth".
 func authorizeHandlerFunc(rw http.ResponseWriter, req *http.Request) {

access_error.go

@@ -1,4 +1,4 @@
-// Copyright © 2023 Ory Corp
+// Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package fosite

access_error_test.go

@@ -1,4 +1,4 @@
-// Copyright © 2023 Ory Corp
+// Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package fosite_test

access_request.go

@@ -1,4 +1,4 @@
-// Copyright © 2023 Ory Corp
+// Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package fosite

access_request_handler.go

@@ -1,4 +1,4 @@
-// Copyright © 2023 Ory Corp
+// Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package fosite
@@ -10,6 +10,8 @@ import (
 
 	"github.com/ory/fosite/i18n"
 	"github.com/ory/x/errorsx"
+	"github.com/ory/x/otelx"
+	"go.opentelemetry.io/otel/trace"
 
 	"github.com/pkg/errors"
 )
@@ -39,7 +41,10 @@ import (
 //     credentials (or assigned other authentication requirements), the
 //     client MUST authenticate with the authorization server as described
 //     in Section 3.2.1.
-func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session Session) (AccessRequester, error) {
+func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session Session) (_ AccessRequester, err error) {
+	ctx, span := trace.SpanFromContext(ctx).TracerProvider().Tracer("github.com/ory/fosite").Start(ctx, "Fosite.NewAccessRequest")
+	defer otelx.End(span, &err)
+
 	accessRequest := NewAccessRequest(session)
 	accessRequest.Request.Lang = i18n.GetLangFromRequest(f.Config.GetMessageCatalog(ctx), r)
 

access_request_handler_test.go

@@ -1,10 +1,9 @@
-// Copyright © 2023 Ory Corp
+// Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package fosite_test
 
 import (
-	"context"
 	"encoding/base64"
 	"fmt"
 	"net/http"
@@ -29,8 +28,6 @@ func TestNewAccessRequest(t *testing.T) {
 	hasher := internal.NewMockHasher(ctrl)
 	defer ctrl.Finish()
 
-	ctx := gomock.AssignableToTypeOf(context.WithValue(context.TODO(), ContextKey("test"), nil))
-
 	client := &DefaultClient{}
 	config := &Config{ClientSecretsHasher: hasher, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy}
 	fosite := &Fosite{Store: store, Config: config}
@@ -121,7 +118,7 @@ func TestNewAccessRequest(t *testing.T) {
 				store.EXPECT().GetClient(gomock.Any(), gomock.Eq("foo")).Return(client, nil)
 				client.Public = false
 				client.Secret = []byte("foo")
-				hasher.EXPECT().Compare(ctx, gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(errors.New(""))
+				hasher.EXPECT().Compare(gomock.Any(), gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(errors.New(""))
 			},
 			handlers: TokenEndpointHandlers{handler},
 		},
@@ -138,7 +135,7 @@ func TestNewAccessRequest(t *testing.T) {
 				store.EXPECT().GetClient(gomock.Any(), gomock.Eq("foo")).Return(client, nil)
 				client.Public = false
 				client.Secret = []byte("foo")
-				hasher.EXPECT().Compare(ctx, gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
+				hasher.EXPECT().Compare(gomock.Any(), gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
 				handler.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any()).Return(ErrServerError)
 			},
 			handlers: TokenEndpointHandlers{handler},
@@ -155,7 +152,7 @@ func TestNewAccessRequest(t *testing.T) {
 				store.EXPECT().GetClient(gomock.Any(), gomock.Eq("foo")).Return(client, nil)
 				client.Public = false
 				client.Secret = []byte("foo")
-				hasher.EXPECT().Compare(ctx, gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
+				hasher.EXPECT().Compare(gomock.Any(), gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
 				handler.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any()).Return(nil)
 			},
 			handlers: TokenEndpointHandlers{handler},
@@ -355,8 +352,6 @@ func TestNewAccessRequestWithMixedClientAuth(t *testing.T) {
 	hasher := internal.NewMockHasher(ctrl)
 	defer ctrl.Finish()
 
-	ctx := gomock.AssignableToTypeOf(context.WithValue(context.TODO(), ContextKey("test"), nil))
-
 	client := &DefaultClient{}
 	config := &Config{ClientSecretsHasher: hasher, AudienceMatchingStrategy: DefaultAudienceMatchingStrategy}
 	fosite := &Fosite{Store: store, Config: config}
@@ -380,7 +375,7 @@ func TestNewAccessRequestWithMixedClientAuth(t *testing.T) {
 				store.EXPECT().GetClient(gomock.Any(), gomock.Eq("foo")).Return(client, nil)
 				client.Public = false
 				client.Secret = []byte("foo")
-				hasher.EXPECT().Compare(ctx, gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(errors.New("hash err"))
+				hasher.EXPECT().Compare(gomock.Any(), gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(errors.New("hash err"))
 				handlerWithoutClientAuth.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any()).Return(nil)
 			},
 			method:    "POST",
@@ -398,7 +393,7 @@ func TestNewAccessRequestWithMixedClientAuth(t *testing.T) {
 				store.EXPECT().GetClient(gomock.Any(), gomock.Eq("foo")).Return(client, nil)
 				client.Public = false
 				client.Secret = []byte("foo")
-				hasher.EXPECT().Compare(ctx, gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
+				hasher.EXPECT().Compare(gomock.Any(), gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
 				handlerWithoutClientAuth.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any()).Return(nil)
 				handlerWithClientAuth.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any()).Return(nil)
 			},

access_request_test.go

@@ -1,4 +1,4 @@
-// Copyright © 2023 Ory Corp
+// Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package fosite

access_response.go

@@ -1,4 +1,4 @@
-// Copyright © 2023 Ory Corp
+// Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package fosite

access_response_test.go

@@ -1,4 +1,4 @@
-// Copyright © 2023 Ory Corp
+// Copyright © 2024 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
 package fosite_test