feat: identity by identifier

[kelkarajay]

Changes

• Enabling identity lookup using an identifier

Related issue(s)

https://github.com/ory-corp/cloud/issues/3947

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

[codecov]

Codecov Report

Merging #3077 (0a78dae) into master (9477ea4) will increase coverage by 0.05%.
The diff coverage is 79.60%.

❗ Current head 0a78dae differs from pull request most recent head f5e8fb3. Consider uploading reports for the commit f5e8fb3 to get more accurate results

@@            Coverage Diff             @@
##           master    #3077      +/-   ##
==========================================
+ Coverage   77.35%   77.41%   +0.05%     
==========================================
  Files         315      315              
  Lines       19817    19885      +68     
==========================================
+ Hits        15330    15394      +64     
- Misses       3297     3300       +3     
- Partials     1190     1191       +1     

Impacted Files	Coverage Δ
selfservice/flow/registration/handler.go	79.37% <ø> (ø)
selfservice/flow/verification/flow.go	90.80% <ø> (ø)
selfservice/hook/session_destroyer.go	66.66% <0.00%> (ø)
selfservice/strategy/code/strategy_verification.go	75.11% <ø> (ø)
selfservice/strategy/link/strategy_verification.go	58.59% <50.00%> (ø)
selfservice/strategy/link/sender.go	70.10% <51.85%> (ø)
selfservice/strategy/code/code_sender.go	78.07% <66.66%> (ø)
identity/handler.go	84.91% <75.00%> (+0.33%)	⬆️
selfservice/hook/web_hook.go	78.78% <75.00%> (ø)
driver/config/config.go	82.77% <100.00%> (ø)
... and 22 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[jonas-jonas]

Looking good already. Have a few comments on the semantics of the API.

[jonas-jonas]

One more detail on how we want the identifier parameter to behave. IMO, it should behave like a filter to the outside consumer, even though technically speaking, there can only ever be one result returned from this (right now).

Btw. I do recall discussions about whether we can widen the scope of the identifier parameter filter to other fields, such as recovery addresses, OIDC connections, etc. Did you look into that? Is that possible?

Because if so, there could very well be more than one identity (I think) in the result set.

[jonas-jonas]

Well, no. IMO, this should return an empty array, since clients expect an array here.

How would this feature be used in the context of the ory network?
We'd probably add a "search" input to the "List identities" table, similar to the email delivery page:

Or do you have something else in mind?

And we already (should) have the logic for displaying a message for "no results found" if the array is empty. So if this endpoint all of a sudden returns 404 this will probably break that and we'd need to implement better error handling on that page.

[kelkarajay]

8166ba1

[jonas-jonas]

Nit: could use a snapshot instead.

[jonas-jonas]

Btw. I do recall discussions about whether we can widen the scope of the identifier parameter filter to other fields, such as recovery addresses, OIDC connections, etc. Did you look into that? Is that possible?

Okay, so OIDC connections and webauthn credentials would be stored in the same way the credentials are. So that should work. But I think it would be great, if we had a test that also checks whether accounts with those kinds of credentials can be found, too. Right now, we're only testing for password credentials, right?

[aeneasr]

Shouldn't this be analogous to:

	// Identities using the marshaler for including metadata_admin
	isam := make([]WithAdminMetadataInJSON, len(is))
	for i, identity := range is {
		isam[i] = WithAdminMetadataInJSON(identity)
	}

And more generally speaking, I think that the implementation does not cover both use cases:

1. Search users as an administrator to e.g. delete them
2. Show the user ways he/she can sign in (e.g. user A has password and social enabled -> show those two fields during login)

The second case is not (yet) covered, because we do not return the credentials metadata. Thus, the consumer of the API wouldn't know which credentials are available for the user.

Here too I'm fine with shipping this in its current state and adding credentials metainfo later.

[kelkarajay]

Credentials use case is now fixed - 4a16b0f

[aeneasr]

Note: The test has a medium score - it does test properly that the persister is able to find the identity by its identifier, but since we only create one identity it could also simply return the first identity in the list. What saves us is the implicit knowledge that we created 25 identities in the test prior, but that implies that we don't care about test isolation. In isolation, the test doesn't properly satisfy our requirements (of 10 identities give me exactly the one that has identifier X; for 10 identities tell me "no identity found" if I search for a non-existing user identifier)

[kelkarajay]

Fair point about the test isolation, I'll fix the test to create identities of different credential types as well

[aeneasr]

Normalization like we do it in the original function is missing:

match = p.normalizeIdentifier(ct, match)

That means that the match is to be case sensitive, which will return different results depending on which persister API you use. Please normalize the match

[kelkarajay]

@aeneasr Normalization was left out because OIDC credential identifier would be case-sensitive while Password/WebAuthn identifier's are lower-cased during identity creation. Prior to the query, we just have the identifier and not the credential type to perform the appropriate normalization

[aeneasr]

I see, that's a fair assumption. Let's view it in the full context:

Only webauthn and password use user-based input for their identifiers (e.g. the email or username), which is why they get normalized (because users mess up capitalization on mobile). All other methods use either the identity's UUID or in the case of Social Sign In a concatenated string provider:user_id_from_provider

IMO we only need to cover the use case where the identifier is based on user input (aka registration or settings form - email, username, phone number, ...) because it doesn't really make sense to search for these system generated strings from an API perspective.

By the way, an addition to the logic would be to search for recovery_addresses or verification_addresses using the via. Not saying that we have to do it now, but can add later.

[aeneasr]

Note: this is more or less a copy of FindByCredentialsTypeAndIdentifier with two distinctions

1. Credentials are not returned
2. We do not care about credentials type

It would be much nicer (and less error prone) to have a common functionality to cover "search for identity credentials identifier with and without the credentials type".

There's always a balance between abstraction and copy/pasting code. The latter does come with the usualy problems such as forgetting to add some type of transformation (in this case p.normalizeIdentifier).

If it was using the same underlying mechanism, existing tests might have caught that normalization is missing. But since this is net new code we need to prove again that it behaves like the other method:

1. Properly finds credentials by their identifier
2. Can deal with normalization
3. Doesn't return invalid results

I'm OK to keep it this way for the sake of getting it shipped, but only if we cover the same test requirements we have for FindByCredentialsTypeAndIdentifier

[kelkarajay]

@aeneasr I didn't forget the normalization 😓 I left it out on purpose because the credential type isn't known before the query. I left a note in the github issue about that earlier - https://github.com/ory-corp/cloud/issues/3947#issuecomment-1422394212

[aeneasr]

Note: This should be handled the persister / pool. It's doesn't affect the behavior of the code but would be "cleaner" in terms of architecture. It's ok to keep it here though, we can clean it up if when FindByCredentialsIdentifier is used somewhere else.

[aeneasr]

Note: If the persister test proves that "out of a list of X elements I find exactly the one element that matches the query", you don't need to test this again in the handler. So the test is fine here like this. This comment is in reference to another comment in the persister tests.

[jonas-jonas]

Nice changes.

[jonas-jonas]

LGTM