nbycomp · davidcarrera · May 14, 2024 · May 14, 2024 · Nov 30, 2025 · Nov 26, 2025
diff --git a/oryx/dbal/testhelpers.go b/oryx/dbal/testhelpers.go
@@ -10,10 +10,11 @@
 	"regexp"
 	"testing"
 
-	"github.com/ory/x/sqlcon/dockertest"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
 
+	"github.com/ory/x/sqlcon/dockertest"
+
 	"github.com/ory/pop/v6"
 	"github.com/ory/x/fsx"
 )
@@ -28,8 +29,8 @@
 
 	updateDump := func(t testing.TB) {
 		dump := dockertest.DumpSchema(t, c)
-		f, err := os.OpenFile(dumpFilename, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644)
+		f, err := os.OpenFile(dumpFilename, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644)
 		require.NoError(t, err)
 		defer f.Close()
 
 		_, _ = fmt.Fprintf(f, "-- migrations hash: %x\n\n%s", newHash, dump)

diff --git a/oryx/httpx/ssrf.go b/oryx/httpx/ssrf.go
@@ -86,10 +86,12 @@ func init() {
 		ssrf.WithNetworks("tcp4", "tcp6"),
 		ssrf.WithAllowedV4Prefixes(
 			netip.MustParsePrefix("10.0.0.0/8"),     // Private-Use (RFC 1918)
+			netip.MustParsePrefix("100.64.0.0/10"),  // Shared Address Space (RFC 6598)
 			netip.MustParsePrefix("127.0.0.0/8"),    // Loopback (RFC 1122, Section 3.2.1.3))
 			netip.MustParsePrefix("169.254.0.0/16"), // Link Local (RFC 3927)
 			netip.MustParsePrefix("172.16.0.0/12"),  // Private-Use (RFC 1918)
 			netip.MustParsePrefix("192.168.0.0/16"), // Private-Use (RFC 1918)
+			netip.MustParsePrefix("198.18.0.0/15"),  // Benchmarking (RFC 2544)
 		),
 		ssrf.WithAllowedV6Prefixes(
 			netip.MustParsePrefix("::1/128"),  // Loopback (RFC 4193)
@@ -106,10 +108,12 @@ func init() {
 		ssrf.WithNetworks("tcp4"),
 		ssrf.WithAllowedV4Prefixes(
 			netip.MustParsePrefix("10.0.0.0/8"),     // Private-Use (RFC 1918)
+			netip.MustParsePrefix("100.64.0.0/10"),  // Shared Address Space (RFC 6598)
 			netip.MustParsePrefix("127.0.0.0/8"),    // Loopback (RFC 1122, Section 3.2.1.3))
 			netip.MustParsePrefix("169.254.0.0/16"), // Link Local (RFC 3927)
 			netip.MustParsePrefix("172.16.0.0/12"),  // Private-Use (RFC 1918)
 			netip.MustParsePrefix("192.168.0.0/16"), // Private-Use (RFC 1918)
+			netip.MustParsePrefix("198.18.0.0/15"),  // Benchmarking (RFC 2544)
 		),
 		ssrf.WithAllowedV6Prefixes(
 			netip.MustParsePrefix("::1/128"),  // Loopback (RFC 4193)

diff --git a/selfservice/flow/login/handler.go b/selfservice/flow/login/handler.go
@@ -941,7 +941,7 @@ continueLogin:
 		return
 	}
 
-	if err := h.d.LoginHookExecutor().PostLoginHook(w, r, group, f, i, sess, ""); err != nil {
+	if err := h.d.LoginHookExecutor().PostLoginHook(w, r, group, f, i, sess, nil, ""); err != nil {
 		if errors.Is(err, ErrAddressNotVerified) {
 			h.d.LoginFlowErrorHandler().WriteFlowError(w, r, f, node.DefaultGroup, errors.WithStack(schema.NewAddressNotVerifiedError()))
 			return

diff --git a/selfservice/flow/login/hook.go b/selfservice/flow/login/hook.go
@@ -22,6 +22,7 @@ import (
 	"github.com/ory/kratos/schema"
 	"github.com/ory/kratos/selfservice/flow"
 	"github.com/ory/kratos/selfservice/sessiontokenexchange"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/session"
 	"github.com/ory/kratos/ui/container"
 	"github.com/ory/kratos/ui/node"
@@ -36,7 +37,7 @@ type (
 	}
 
 	PostHookExecutor interface {
-		ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *Flow, s *session.Session) error
+		ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *Flow, s *session.Session, c *claims.Claims) error
 	}
 
 	HooksProvider interface {
@@ -130,6 +131,7 @@ func (e *HookExecutor) PostLoginHook(
 	f *Flow,
 	i *identity.Identity,
 	s *session.Session,
+	c *claims.Claims,
 	provider string,
 ) (err error) {
 	ctx := r.Context()
@@ -149,15 +151,15 @@ func (e *HookExecutor) PostLoginHook(
 		return err
 	}
 
-	c := e.d.Config()
+	cfg := e.d.Config()
 	// Verify the redirect URL before we do any other processing.
 	returnTo, err := redir.SecureRedirectTo(r,
-		c.SelfServiceBrowserDefaultReturnTo(ctx),
+		cfg.SelfServiceBrowserDefaultReturnTo(ctx),
 		redir.SecureRedirectReturnTo(f.ReturnTo),
 		redir.SecureRedirectUseSourceURL(f.RequestURL),
-		redir.SecureRedirectAllowURLs(c.SelfServiceBrowserAllowedReturnToDomains(ctx)),
-		redir.SecureRedirectAllowSelfServiceURLs(c.SelfPublicURL(ctx)),
-		redir.SecureRedirectOverrideDefaultReturnTo(c.SelfServiceFlowLoginReturnTo(ctx, f.Active.String())),
+		redir.SecureRedirectAllowURLs(cfg.SelfServiceBrowserAllowedReturnToDomains(ctx)),
+		redir.SecureRedirectAllowSelfServiceURLs(cfg.SelfPublicURL(ctx)),
+		redir.SecureRedirectOverrideDefaultReturnTo(cfg.SelfServiceFlowLoginReturnTo(ctx, f.Active.String())),
 	)
 	if err != nil {
 		return err
@@ -185,7 +187,7 @@ func (e *HookExecutor) PostLoginHook(
 		return err
 	}
 	for k, executor := range hooks {
-		if err := executor.ExecuteLoginPostHook(w, r, g, f, s); err != nil {
+		if err := executor.ExecuteLoginPostHook(w, r, g, f, s, c); err != nil {
 			if errors.Is(err, ErrHookAbortFlow) {
 				e.d.Logger().
 					WithRequest(r).

diff --git a/selfservice/flow/login/hook_test.go b/selfservice/flow/login/hook_test.go
@@ -76,7 +76,7 @@ func TestLoginExecutor(t *testing.T) {
 					}
 
 					testhelpers.SelfServiceHookLoginErrorHandler(t, w, r,
-						reg.LoginHookExecutor().PostLoginHook(w, r, strategy.ToUiNodeGroup(), loginFlow, useIdentity, sess, ""))
+						reg.LoginHookExecutor().PostLoginHook(w, r, strategy.ToUiNodeGroup(), loginFlow, useIdentity, sess, nil, ""))
 				})
 
 				router.HandleFunc("GET /login/post2fa", func(w http.ResponseWriter, r *http.Request) {
@@ -96,7 +96,7 @@ func TestLoginExecutor(t *testing.T) {
 					}
 
 					testhelpers.SelfServiceHookLoginErrorHandler(t, w, r,
-						reg.LoginHookExecutor().PostLoginHook(w, r, strategy.ToUiNodeGroup(), loginFlow, useIdentity, sess, ""))
+						reg.LoginHookExecutor().PostLoginHook(w, r, strategy.ToUiNodeGroup(), loginFlow, useIdentity, sess, nil, ""))
 				})
 
 				ts := httptest.NewServer(router)

diff --git a/selfservice/hook/error.go b/selfservice/hook/error.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/ory/kratos/selfservice/flow/recovery"
 	"github.com/ory/kratos/selfservice/flow/verification"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/ui/node"
 
 	"github.com/ory/kratos/identity"
@@ -64,7 +65,7 @@ func (e Error) ExecuteSettingsPostPersistHook(w http.ResponseWriter, r *http.Req
 	return e.err("ExecuteSettingsPostPersistHook", settings.ErrHookAbortFlow)
 }
 
-func (e Error) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *login.Flow, s *session.Session) error {
+func (e Error) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, a *login.Flow, s *session.Session, c *claims.Claims) error {
 	return e.err("ExecuteLoginPostHook", login.ErrHookAbortFlow)
 }
 

diff --git a/selfservice/hook/require_verified_address.go b/selfservice/hook/require_verified_address.go
@@ -9,6 +9,7 @@ import (
 	"github.com/ory/kratos/driver/config"
 	"github.com/ory/kratos/selfservice/flow"
 	"github.com/ory/kratos/selfservice/flow/verification"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/text"
 	"github.com/ory/kratos/x"
 	"github.com/ory/kratos/x/nosurfx"
@@ -50,7 +51,7 @@ func NewAddressVerifier(r addressVerifierDependencies) *AddressVerifier {
 	}
 }
 
-func (e *AddressVerifier) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, f *login.Flow, s *session.Session) (err error) {
+func (e *AddressVerifier) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, f *login.Flow, s *session.Session, _ *claims.Claims) (err error) {
 	ctx, span := e.r.Tracer(r.Context()).Tracer().Start(r.Context(), "selfservice.hook.Verifier.do")
 	r = r.WithContext(ctx)
 	defer otelx.End(span, &err)

diff --git a/selfservice/hook/require_verified_address_test.go b/selfservice/hook/require_verified_address_test.go
@@ -101,7 +101,7 @@ func TestAddressVerifier(t *testing.T) {
 							ID:       x.NewUUID(),
 							Identity: &identity.Identity{ID: x.NewUUID(), VerifiableAddresses: uc.verifiableAddresses},
 						}
-						err := verifier.ExecuteLoginPostHook(nil, httptest.NewRequest("GET", "http://example.com", nil), node.DefaultGroup, tc.flow, sessions)
+						err := verifier.ExecuteLoginPostHook(nil, httptest.NewRequest("GET", "http://example.com", nil), node.DefaultGroup, tc.flow, sessions, nil)
 						if tc.neverError || uc.expectedError == nil {
 							assert.NoError(t, err)
 						} else {
@@ -158,7 +158,7 @@ func TestAddressVerifier(t *testing.T) {
 			}
 
 			// Expect verification flow creation and ErrHookAbortFlow
-			err := verifier.ExecuteLoginPostHook(mockResponse, mockJSONReq, node.DefaultGroup, loginFlow, sessions)
+			err := verifier.ExecuteLoginPostHook(mockResponse, mockJSONReq, node.DefaultGroup, loginFlow, sessions, nil)
 			assert.ErrorIs(t, err, login.ErrHookAbortFlow)
 
 			// Verify response contains continueWith and ErrAddressNotVerified
@@ -216,7 +216,7 @@ func TestAddressVerifier(t *testing.T) {
 			}
 
 			// Expect verification flow creation and redirect
-			err := verifier.ExecuteLoginPostHook(mockResponse, mockBrowserReq, node.DefaultGroup, browserFlow, sessions)
+			err := verifier.ExecuteLoginPostHook(mockResponse, mockBrowserReq, node.DefaultGroup, browserFlow, sessions, nil)
 			assert.ErrorIs(t, err, login.ErrHookAbortFlow)
 
 			// Verify redirect occurred
@@ -254,7 +254,7 @@ func TestAddressVerifier(t *testing.T) {
 				Identity: identity,
 			}
 
-			err := verifier.ExecuteLoginPostHook(nil, mockRequest, node.DefaultGroup, verifiedFlow, sessions)
+			err := verifier.ExecuteLoginPostHook(nil, mockRequest, node.DefaultGroup, verifiedFlow, sessions, nil)
 			assert.NoError(t, err)
 		})
 
@@ -279,7 +279,7 @@ func TestAddressVerifier(t *testing.T) {
 				Identity: identity,
 			}
 
-			err := verifier.ExecuteLoginPostHook(nil, mockRequest, node.DefaultGroup, noAddressFlow, sessions)
+			err := verifier.ExecuteLoginPostHook(nil, mockRequest, node.DefaultGroup, noAddressFlow, sessions, nil)
 			assert.ErrorIs(t, err, herodot.ErrMisconfiguration)
 		})
 	})

diff --git a/selfservice/hook/session_destroyer.go b/selfservice/hook/session_destroyer.go
@@ -11,14 +11,17 @@ import (
 	"github.com/ory/kratos/selfservice/flow/login"
 	"github.com/ory/kratos/selfservice/flow/recovery"
 	"github.com/ory/kratos/selfservice/flow/settings"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/session"
 	"github.com/ory/kratos/ui/node"
 	"github.com/ory/x/otelx"
 )
 
-var _ login.PostHookExecutor = new(SessionDestroyer)
-var _ recovery.PostHookExecutor = new(SessionDestroyer)
-var _ settings.PostHookPostPersistExecutor = new(SessionDestroyer)
+var (
+	_ login.PostHookExecutor               = new(SessionDestroyer)
+	_ recovery.PostHookExecutor            = new(SessionDestroyer)
+	_ settings.PostHookPostPersistExecutor = new(SessionDestroyer)
+)
 
 type (
 	sessionDestroyerDependencies interface {
@@ -34,7 +37,7 @@ func NewSessionDestroyer(r sessionDestroyerDependencies) *SessionDestroyer {
 	return &SessionDestroyer{r: r}
 }
 
-func (e *SessionDestroyer) ExecuteLoginPostHook(_ http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, _ *login.Flow, s *session.Session) error {
+func (e *SessionDestroyer) ExecuteLoginPostHook(_ http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, _ *login.Flow, s *session.Session, _ *claims.Claims) error {
 	return otelx.WithSpan(r.Context(), "selfservice.hook.SessionDestroyer.ExecuteLoginPostHook", func(ctx context.Context) error {
 		if _, err := e.r.SessionPersister().RevokeSessionsIdentityExcept(ctx, s.Identity.ID, s.ID); err != nil {
 			return err

diff --git a/selfservice/hook/session_destroyer_test.go b/selfservice/hook/session_destroyer_test.go
@@ -52,6 +52,7 @@ func TestSessionDestroyer(t *testing.T) {
 					node.DefaultGroup,
 					nil,
 					&session.Session{Identity: i},
+					nil,
 				)
 			},
 		},

diff --git a/selfservice/hook/show_verification_ui.go b/selfservice/hook/show_verification_ui.go
@@ -17,6 +17,7 @@ import (
 	"github.com/ory/kratos/selfservice/flow"
 	"github.com/ory/kratos/selfservice/flow/login"
 	"github.com/ory/kratos/selfservice/flow/registration"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/session"
 	"github.com/ory/kratos/ui/node"
 	"github.com/ory/kratos/x"
@@ -59,7 +60,7 @@ func (e *ShowVerificationUIHook) ExecutePostRegistrationPostPersistHook(_ http.R
 
 // ExecuteLoginPostHook adds redirect headers and status code if the request is a browser request.
 // If the request is not a browser request, this hook does nothing.
-func (e *ShowVerificationUIHook) ExecuteLoginPostHook(_ http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, f *login.Flow, _ *session.Session) error {
+func (e *ShowVerificationUIHook) ExecuteLoginPostHook(_ http.ResponseWriter, r *http.Request, _ node.UiNodeGroup, f *login.Flow, _ *session.Session, _ *claims.Claims) error {
 	return e.execute(r, f)
 }
 

diff --git a/selfservice/hook/show_verification_ui_test.go b/selfservice/hook/show_verification_ui_test.go
@@ -85,7 +85,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
 			browserRequest := httptest.NewRequest("GET", "/", nil)
 			f := &login.Flow{}
 			rec := httptest.NewRecorder()
-			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", f, nil))
+			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", f, nil, nil))
 			require.Equal(t, 200, rec.Code)
 		})
 
@@ -96,7 +96,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
 			browserRequest.Header.Add("Accept", "application/json")
 			f := &login.Flow{}
 			rec := httptest.NewRecorder()
-			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", f, nil))
+			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", f, nil, nil))
 			require.Equal(t, 200, rec.Code)
 		})
 
@@ -113,7 +113,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
 				flow.NewContinueWithVerificationUI(vf.ID, "some@ory.sh", ""),
 			}
 			rec := httptest.NewRecorder()
-			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", rf, nil))
+			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", rf, nil, nil))
 			assert.Equal(t, 200, rec.Code)
 			assert.Equal(t, "/verification?flow="+vf.ID.String(), rf.ReturnToVerification)
 		})
@@ -128,7 +128,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
 				flow.NewContinueWithSetToken("token"),
 			}
 			rec := httptest.NewRecorder()
-			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", rf, nil))
+			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", rf, nil, nil))
 			assert.Equal(t, 200, rec.Code)
 		})
 	})
@@ -201,7 +201,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
 			lf.InternalContext = internalContext
 
 			rec := httptest.NewRecorder()
-			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", lf, nil))
+			require.NoError(t, h.ExecuteLoginPostHook(rec, browserRequest, "", lf, nil, nil))
 			assert.Equal(t, 200, rec.Code)
 			assert.Equal(t, "/verification?flow="+vfID.String(), lf.ReturnToVerification)
 		})
@@ -220,7 +220,7 @@ func TestExecutePostRegistrationPostPersistHook(t *testing.T) {
 			lf.InternalContext = internalContext
 
 			rec := httptest.NewRecorder()
-			err = h.ExecuteLoginPostHook(rec, browserRequest, "", lf, nil)
+			err = h.ExecuteLoginPostHook(rec, browserRequest, "", lf, nil, nil)
 			require.Error(t, err)
 		})
 	})

diff --git a/selfservice/hook/stub/test_body.jsonnet b/selfservice/hook/stub/test_body.jsonnet
@@ -1,10 +1,14 @@
 function(ctx) std.prune({
   flow_id: ctx.flow.id,
-  identity_id: if std.objectHas(ctx, "identity") then ctx.identity.id,
-  session_id: if std.objectHas(ctx, "session") then ctx.session.id,
+  identity_id: if std.objectHas(ctx, 'identity') then ctx.identity.id,
+  session_id: if std.objectHas(ctx, 'session') then ctx.session.id,
   headers: ctx.request_headers,
   url: ctx.request_url,
   method: ctx.request_method,
   cookies: ctx.request_cookies,
-  transient_payload: if std.objectHas(ctx.flow, "transient_payload") then ctx.flow.transient_payload,
+  transient_payload: if std.objectHas(ctx.flow, 'transient_payload') then ctx.flow.transient_payload,
+  nickname: if std.objectHas(ctx, 'claims') then ctx.claims.nickname,
+  groups: if std.objectHas(ctx, 'claims') &&
+             std.objectHas(ctx.claims, 'raw_claims') &&
+             std.objectHas(ctx.claims.raw_claims, 'groups') then ctx.claims.raw_claims.groups,
 })
diff --git a/selfservice/hook/verification.go b/selfservice/hook/verification.go
@@ -21,6 +21,7 @@ import (
 	"github.com/ory/kratos/selfservice/flow/registration"
 	"github.com/ory/kratos/selfservice/flow/settings"
 	"github.com/ory/kratos/selfservice/flow/verification"
+	"github.com/ory/kratos/selfservice/strategy/oidc/claims"
 	"github.com/ory/kratos/session"
 	"github.com/ory/kratos/text"
 	"github.com/ory/kratos/ui/node"
@@ -72,7 +73,7 @@ func (e *Verifier) ExecuteSettingsPostPersistHook(w http.ResponseWriter, r *http
 	})
 }
 
-func (e *Verifier) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, f *login.Flow, s *session.Session) (err error) {
+func (e *Verifier) ExecuteLoginPostHook(w http.ResponseWriter, r *http.Request, g node.UiNodeGroup, f *login.Flow, s *session.Session, c *claims.Claims) (err error) {
 	ctx, span := e.r.Tracer(r.Context()).Tracer().Start(r.Context(), "selfservice.hook.Verifier.ExecuteLoginPostHook")
 	r = r.WithContext(ctx)
 	defer otelx.End(span, &err)

diff --git a/selfservice/hook/verification_test.go b/selfservice/hook/verification_test.go
@@ -53,7 +53,7 @@ func TestVerifier(t *testing.T) {
 			name: "login",
 			execHook: func(h *hook.Verifier, i *identity.Identity, f flow.Flow) error {
 				return h.ExecuteLoginPostHook(
-					httptest.NewRecorder(), u, node.CodeGroup, f.(*login.Flow), &session.Session{ID: x.NewUUID(), Identity: i})
+					httptest.NewRecorder(), u, node.CodeGroup, f.(*login.Flow), &session.Session{ID: x.NewUUID(), Identity: i}, nil)
 			},
 			originalFlow: func() interface {
 				flow.InternalContexter
@@ -158,7 +158,7 @@ func TestVerifier(t *testing.T) {
 		h := hook.NewVerifier(reg)
 		i := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID)
 		f := &login.Flow{RequestedAAL: "aal2"}
-		require.NoError(t, h.ExecuteLoginPostHook(httptest.NewRecorder(), u, node.CodeGroup, f, &session.Session{ID: x.NewUUID(), Identity: i}))
+		require.NoError(t, h.ExecuteLoginPostHook(httptest.NewRecorder(), u, node.CodeGroup, f, &session.Session{ID: x.NewUUID(), Identity: i}, nil))
 
 		messages, err := reg.CourierPersister().NextMessages(context.Background(), 12)
 		require.EqualError(t, err, "queue is empty")
-Original file line number
+Diff line change
@@ Expand Up / @@ -52,6 +52,7 @@ func TestSessionDestroyer(t *testing.T) { @@
     					node.DefaultGroup,
     					nil,
     					&session.Session{Identity: i},
+    					nil,
     				)
     			},
     		},
@@ Expand Down @@