mutator/id_token: Add claim templating (#246)

Author: aeneasr

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,7 +1,6 @@
 ---
 name: Bug report
 about: Create a report to help us improve
-
 ---
 
 **Describe the bug**
@@ -18,15 +17,15 @@ Steps to reproduce the behavior:
 3. Request fails with response: `{"some": "error"}`
 -->
 
-*Server logs*
+_Server logs_
 
 <!--
 ```
 log=error ....
 ```
 -->
 
-*Server configuration*
+_Server configuration_
 
 <!--
 PLEASE OMIT SENSITIVE VALUES
@@ -44,8 +43,8 @@ A clear and concise description of what you expected to happen.
 
 **Environment**
 
-* Version: v1.2.3, git sha hash
-* Environment: Debian, Docker, ...
+- Version: v1.2.3, git sha hash
+- Environment: Debian, Docker, ...
 
 **Additional context**
 

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,22 +1,22 @@
 ---
 name: Feature request
 about: Suggest an idea for this project
-
 ---
 
 **Is your feature request related to a problem? Please describe.**
 
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+A clear and concise description of what the problem is. Ex. I'm always
+frustrated when [...]
 
 **Describe the solution you'd like**
 
 A clear and concise description of what you want to happen.
 
 **Describe alternatives you've considered**
 
-A clear and concise description of any alternative solutions or features you've considered.
+A clear and concise description of any alternative solutions or features you've
+considered.
 
 **Additional context**
 
 Add any other context or screenshots about the feature request here.
-

.github/ISSUE_TEMPLATE/support.md

@@ -1,8 +1,10 @@
 ---
 name: Support request
-about: Please use our forums (community.ory.sh) or the chat (ory.sh/chat) to ask for support
-
+about:
+  Please use our forums (community.ory.sh) or the chat (ory.sh/chat) to ask for
+  support
 ---
 
-Please use issues only to file potential bugs or request features. For everything else please go to
-the [ORY Community](https://community.ory.sh/) or join the [ORY Chat](https://www.ory.sh/chat).
+Please use issues only to file potential bugs or request features. For
+everything else please go to the [ORY Community](https://community.ory.sh/) or
+join the [ORY Chat](https://www.ory.sh/chat).

.github/PULL_REQUEST_TEMPLATE.md

@@ -26,11 +26,15 @@ them, don't hesitate to ask. We're here to help! This is simply a reminder of wh
 
 - [ ] I have read the [contributing guidelines](../blob/master/CONTRIBUTING.md)
 - [ ] I have read the [security policy](../security/policy)
-- [ ] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security
-vulnerability, I confirm that I got green light (please contact [security@ory.sh](mailto:security@ory.sh)) from the maintainers to push the changes.
+- [ ] I confirm that this pull request does not address a security
+      vulnerability. If this pull request addresses a security vulnerability, I
+      confirm that I got green light (please contact
+      [security@ory.sh](mailto:security@ory.sh)) from the maintainers to push
+      the changes.
 - [ ] I have added tests that prove my fix is effective or that my feature works
 - [ ] I have added necessary documentation within the code base (if appropriate)
-- [ ] I have documented my changes in the [developer guide](https://github.com/ory/docs) (if appropriate)
+- [ ] I have documented my changes in the
+      [developer guide](https://github.com/ory/docs) (if appropriate)
 
 ## Further comments
 

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 <!-- START doctoc generated TOC please keep comment here to allow auto update -->
 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+
 **Table of Contents**
 
 - [Introduction](#introduction)
@@ -16,78 +17,104 @@
 
 ## Introduction
 
-Please note: We take ORY Oathkeeper's security and our users' trust very seriously. If you believe you have found a
-security issue in ORY Oathkeeper, please responsibly disclose by contacting us at hi@ory.sh.
+Please note: We take ORY Oathkeeper's security and our users' trust very
+seriously. If you believe you have found a security issue in ORY Oathkeeper,
+please responsibly disclose by contacting us at hi@ory.sh.
 
-First: if you're unsure or afraid of anything, just ask or submit the issue or pull request anyways. You won't be
-yelled at for giving it your best effort. The worst that can happen is that you'll be politely asked to change
-something. We appreciate any sort of contributions, and don't want a wall of rules to get in the way of that.
+First: if you're unsure or afraid of anything, just ask or submit the issue or
+pull request anyways. You won't be yelled at for giving it your best effort. The
+worst that can happen is that you'll be politely asked to change something. We
+appreciate any sort of contributions, and don't want a wall of rules to get in
+the way of that.
 
-That said, if you want to ensure that a pull request is likely to be merged, talk to us! You can find out our thoughts
-and ensure that your contribution won't clash or be obviated by ORY Oathkeeper's normal direction. A great way to do this is via
-the [ORY Community](https://community.ory.sh/) or join the [ORY Chat](https://www.ory.sh/chat).
+That said, if you want to ensure that a pull request is likely to be merged,
+talk to us! You can find out our thoughts and ensure that your contribution
+won't clash or be obviated by ORY Oathkeeper's normal direction. A great way to
+do this is via the [ORY Community](https://community.ory.sh/) or join the
+[ORY Chat](https://www.ory.sh/chat).
 
 ## Contributing Code
 
-Unless you are fixing a known bug, we **strongly** recommend discussing it with the core team via a GitHub issue or
-[in our chat](https://www.ory.sh/chat) before getting started to ensure your work is consistent with
-ORY Oathkeeper's roadmap and architecture.
+Unless you are fixing a known bug, we **strongly** recommend discussing it with
+the core team via a GitHub issue or [in our chat](https://www.ory.sh/chat)
+before getting started to ensure your work is consistent with ORY Oathkeeper's
+roadmap and architecture.
 
-All contributions are made via pull request. Note that **all patches from all contributors get reviewed**. After a pull
-request is made other contributors will offer feedback, and if the patch passes review a maintainer will accept it with
-a comment. When pull requests fail testing, authors are expected to update their pull requests to address the failures
-until the tests pass and the pull request merges successfully.
+All contributions are made via pull request. Note that **all patches from all
+contributors get reviewed**. After a pull request is made other contributors
+will offer feedback, and if the patch passes review a maintainer will accept it
+with a comment. When pull requests fail testing, authors are expected to update
+their pull requests to address the failures until the tests pass and the pull
+request merges successfully.
 
-At least one review from a maintainer is required for all patches (even patches from maintainers).
+At least one review from a maintainer is required for all patches (even patches
+from maintainers).
 
-Reviewers should leave a "LGTM" comment once they are satisfied with the patch. If the patch was submitted by a
-maintainer with write access, the pull request should be merged by the submitter after review.
+Reviewers should leave a "LGTM" comment once they are satisfied with the patch.
+If the patch was submitted by a maintainer with write access, the pull request
+should be merged by the submitter after review.
 
 ## Disclosing vulnerabilities
 
-Please disclose vulnerabilities exclusively to [hi@ory.am](mailto:hi@ory.am). Do not use GitHub issues.
+Please disclose vulnerabilities exclusively to [hi@ory.am](mailto:hi@ory.am). Do
+not use GitHub issues.
 
 ## Code Style
 
 Please follow these guidelines when formatting source code:
 
-* Go code should match the output of `gofmt -s`
+- Go code should match the output of `gofmt -s`
 
 ## Pull request procedure
 
-To make a pull request, you will need a GitHub account; if you are unclear on this process, see GitHub's
-documentation on [forking](https://help.github.com/articles/fork-a-repo) and [pull requests](https://help.github.com/articles/using-pull-requests).
-Pull requests should be targeted at the `master` branch. Before creating a pull request, go through this checklist:
+To make a pull request, you will need a GitHub account; if you are unclear on
+this process, see GitHub's documentation on
+[forking](https://help.github.com/articles/fork-a-repo) and
+[pull requests](https://help.github.com/articles/using-pull-requests). Pull
+requests should be targeted at the `master` branch. Before creating a pull
+request, go through this checklist:
 
 1. Create a feature branch off of `master` so that changes do not get mixed up.
-1. [Rebase](http://git-scm.com/book/en/Git-Branching-Rebasing) your local changes against the `master` branch.
-1. Run the full project test suite with the `go test ./...` (or equivalent) command and confirm that it passes.
+1. [Rebase](http://git-scm.com/book/en/Git-Branching-Rebasing) your local
+   changes against the `master` branch.
+1. Run the full project test suite with the `go test ./...` (or equivalent)
+   command and confirm that it passes.
 1. Run `gofmt -s` (if the project is written in Go).
-1. Ensure that each commit has a subsystem prefix (ex: `controller: `).
+1. Ensure that each commit has a subsystem prefix (ex: `controller:`).
 
-Pull requests will be treated as "review requests," and maintainers will give feedback on the style and substance of the patch.
+Pull requests will be treated as "review requests," and maintainers will give
+feedback on the style and substance of the patch.
 
-Normally, all pull requests must include tests that test your change. Occasionally, a change will
-be very difficult to test for. In those cases, please include a note in your commit message explaining why.
+Normally, all pull requests must include tests that test your change.
+Occasionally, a change will be very difficult to test for. In those cases,
+please include a note in your commit message explaining why.
 
 ## Communication
 
-We use [discord](https://www.ory.sh/chat). You are welcome to drop in and ask questions, discuss bugs, etc.
+We use [discord](https://www.ory.sh/chat). You are welcome to drop in and ask
+questions, discuss bugs, etc.
 
 ## Conduct
 
-Whether you are a regular contributor or a newcomer, we care about making this community a safe place for you and
-we've got your back.
-
-* We are committed to providing a friendly, safe and welcoming environment for all, regardless of gender,
-    sexual orientation, disability, ethnicity, religion, or similar personal characteristic.
-* Please avoid using nicknames that might detract from a friendly, safe and welcoming environment for all.
-* Be kind and courteous. There is no need to be mean or rude.
-* We will exclude you from interaction if you insult, demean or harass anyone. In particular, we do not tolerate
-    behavior that excludes people in socially marginalized groups.
-* Private harassment is also unacceptable. No matter who you are, if you feel you have been or are being harassed or
-    made uncomfortable by a community member, please contact one of the channel ops or a member of the ORY
-    Oathkeeper core team immediately.
-* Likewise any spamming, trolling, flaming, baiting or other attention-stealing behaviour is not welcome.
-
-We welcome discussion about creating a welcoming, safe, and productive environment for the community. If you have any questions, feedback, or concerns [please let us know](https://www.ory.sh/chat).
+Whether you are a regular contributor or a newcomer, we care about making this
+community a safe place for you and we've got your back.
+
+- We are committed to providing a friendly, safe and welcoming environment for
+  all, regardless of gender, sexual orientation, disability, ethnicity,
+  religion, or similar personal characteristic.
+- Please avoid using nicknames that might detract from a friendly, safe and
+  welcoming environment for all.
+- Be kind and courteous. There is no need to be mean or rude.
+- We will exclude you from interaction if you insult, demean or harass anyone.
+  In particular, we do not tolerate behavior that excludes people in socially
+  marginalized groups.
+- Private harassment is also unacceptable. No matter who you are, if you feel
+  you have been or are being harassed or made uncomfortable by a community
+  member, please contact one of the channel ops or a member of the ORY
+  Oathkeeper core team immediately.
+- Likewise any spamming, trolling, flaming, baiting or other attention-stealing
+  behaviour is not welcome.
+
+We welcome discussion about creating a welcoming, safe, and productive
+environment for the community. If you have any questions, feedback, or concerns
+[please let us know](https://www.ory.sh/chat).

CONTRIBUTING.md

@@ -77,16 +77,22 @@ to build ORY Oathkeeper from source.
 ## Who's using it?
 
 <!--BEGIN ADOPTERS-->
-The ORY community stands on the shoulders of individuals, companies, and maintainers. We thank everyone involved - from
-submitting bug reports and feature requests, to contributing patches, to sponsoring our work. Our community is
-1000+ strong and growing rapidly. The ORY stack protects 1.200.000.000+ API requests every month with over
-15.000+ active service nodes. Our small but expert team would have never been able to achieve this without each and
-everyone of you.
 
-The following list represents companies that have accompanied us along the way and that have made outstanding contributions
-to our ecosystem. *If you think that your company deserves a spot here, reach out to <a href="mailto:hi@ory.sh">hi@ory.sh</a>now*!
-
-**Please consider giving back by becoming a sponsor of our open source work on <a href="https://www.patreon.com/_ory">Patreon</a> or 
+The ORY community stands on the shoulders of individuals, companies, and
+maintainers. We thank everyone involved - from submitting bug reports and
+feature requests, to contributing patches, to sponsoring our work. Our community
+is 1000+ strong and growing rapidly. The ORY stack protects 1.200.000.000+ API
+requests every month with over 15.000+ active service nodes. Our small but
+expert team would have never been able to achieve this without each and everyone
+of you.
+
+The following list represents companies that have accompanied us along the way
+and that have made outstanding contributions to our ecosystem. _If you think
+that your company deserves a spot here, reach out to
+<a href="mailto:hi@ory.sh">hi@ory.sh</a>now_!
+
+**Please consider giving back by becoming a sponsor of our open source work on
+<a href="https://www.patreon.com/_ory">Patreon</a> or
 <a href="https://opencollective.com/ory">Open Collective</a>.**
 
 <table>
@@ -164,15 +170,15 @@ as well as all of our backers
 
 <a href="https://opencollective.com/ory#backers" target="_blank"><img src="https://opencollective.com/ory/backers.svg?width=890"></a>
 
-and past & current supporters (in alphabetical order) on [Patreon](https://www.patreon.com/_ory): Alexander Alimovs,
-Billy, Chancy Kennedy, Drozzy, Edwin Trejos, Howard Edidin, Ken Adler Oz Haven, Stefan Hans, TheCrealm.
+and past & current supporters (in alphabetical order) on
+[Patreon](https://www.patreon.com/_ory): Alexander Alimovs, Billy, Chancy
+Kennedy, Drozzy, Edwin Trejos, Howard Edidin, Ken Adler Oz Haven, Stefan Hans,
+TheCrealm.
 
-<em>* Uses one of ORY's major projects in production.</em>
+<em>\* Uses one of ORY's major projects in production.</em>
 
 <!--END ADOPTERS-->
 
-
-
 ## Ecosystem
 
 <a href="https://console.ory.sh/">

README.md

@@ -2,19 +2,17 @@
 
 ## Supported Versions
 
-We release patches for security vulnerabilities.
-Which versions are eligible receiving such patches
-depend on the CVSS v3.0 Rating:
+We release patches for security vulnerabilities. Which versions are eligible
+receiving such patches depend on the CVSS v3.0 Rating:
 
-| CVSS v3.0  | Supported Versions                        |
-| ---------- | ----------------------------------------- |
-| 9.0-10.0   | Releases within the previous three months |
-| 4.0-8.9    | Most recent release                       |
+| CVSS v3.0 | Supported Versions                        |
+| --------- | ----------------------------------------- |
+| 9.0-10.0  | Releases within the previous three months |
+| 4.0-8.9   | Most recent release                       |
 
 ## Reporting a Vulnerability
 
 Please report (suspected) security vulnerabilities to
-**[security@ory.sh](mailto:security@ory.sh)**. You will receive
-a response from us within 48 hours. If the issue is confirmed,
-we will release a patch as soon as possible depending on complexity
-but historically within a few days.
+**[security@ory.sh](mailto:security@ory.sh)**. You will receive a response from
+us within 48 hours. If the issue is confirmed, we will release a patch as soon
+as possible depending on complexity but historically within a few days.

SECURITY.md

@@ -40,16 +40,17 @@ before finalizing the upgrade process.
 
 ## v0.18.0-beta.1+oryOS.12
 
-### Mutators
-1. ORY Oathkeeper now supports multiple mutators. Mutations are performed in the provided order and must all succeed in order for the HTTP request to be forwarded.
-2. The `mutator` property was renamed to `mutators` to reflect its true nature (see previous item).
+### Access Rule Mutators
 
-### Access Rule Changes
-
-As already noted, the `mutator` property was renamed to `mutators` and now represents a list of mutation handlers. If you have
-existing rules, please update them as follows:
+1. ORY Oathkeeper now supports multiple mutators. Mutations are performed in the
+   provided order and must all succeed in order for the HTTP request to be
+   forwarded.
+2. The `mutator` property was renamed to `mutators` to reflect its true nature
+   (see previous item).
+   
+If you have existing rules, please update them as follows:
 
-```
+```patch
 [
   {
     "id": "jwt-rule",
@@ -82,6 +83,29 @@ existing rules, please update them as follows:
 ]
 ```
 
+#### `id_token` mutator now renders go templates
+
+The `id_token` mutator is now capable of rendering custom claims using Go
+[text/template](https://golang.org/pkg/text/template/) receiving the
+`AuthenticationSession` struct as its parameters.
+
+To enable this change, the `aud` config was removed and the `claims` config was introduced.
+The `claims` field is a raw string representing a Go template.
+
+To upgrade existing rules, apply patches similar to this one:
+
+deprecated config:
+
+```patch
+{
+  "handler": "id_token",
+  "config": {
+-    "aud": ["https://my-backend-service/some/endpoint"]
++    "claims": "{\"aud\": [\"https://my-backend-service/some/endpoint\"]}"
+  }
+}
+```
+
 ## v0.17.0-beta.1+oryOS.12
 
 ORY Oathkeeper now watches configuration files and access rules repositories on