Merge commit '1406c20959678870fe01564147613b24806697a2'

2026-02-03 14:27:21 +09:00
parent d09abab5a2 1406c20959
commit 3868f5967e
25 changed files with 4683 additions and 277 deletions
--- a/backend/internal/service/descope_service.go
+++ b/backend/internal/service/descope_service.go
@@ -135,7 +135,8 @@ func (d *DescopeProvider) SignIn(loginID, password string) (*domain.AuthInfo, er
 			Expiration: time.Unix(authInfo.SessionToken.Expiration, 0),
 			SessionID:  authInfo.SessionToken.ID,
 		},
-		Subject: authInfo.User.UserID,
+		// 내부 식별자는 Kratos identity ID로 통일합니다.
+		Subject: "",
 	}
 	if authInfo.RefreshToken != nil {
 		res.RefreshToken = &domain.Token{
@@ -204,7 +205,8 @@ func (d *DescopeProvider) IssueSession(loginID string) (*domain.AuthInfo, error)
 			Expiration: time.Unix(authInfo.SessionToken.Expiration, 0),
 			SessionID:  authInfo.SessionToken.ID,
 		},
-		Subject: authInfo.User.UserID,
+		// 내부 식별자는 Kratos identity ID로 통일합니다.
+		Subject: "",
 	}
 	if authInfo.RefreshToken != nil {
 		res.RefreshToken = &domain.Token{
--- a/backend/internal/service/hydra_admin_service.go
+++ b/backend/internal/service/hydra_admin_service.go
@@ -46,13 +46,17 @@ type HydraConsentRequest struct {
 }

 type HydraConsentSession struct {
-	Subject         string      `json:"subject"`
-	GrantedScope    []string    `json:"granted_scope"`
-	GrantedAudience []string    `json:"granted_audience,omitempty"`
-	Remember        bool        `json:"remember"`
-	AuthenticatedAt *time.Time  `json:"authenticated_at,omitempty"`
-	RequestedAt     *time.Time  `json:"requested_at,omitempty"`
-	Client          HydraClient `json:"client"`
+	ConsentRequestID string               `json:"consent_request_id,omitempty"`
+	Subject          string               `json:"subject,omitempty"`
+	GrantedScope     []string             `json:"grant_scope,omitempty"`
+	GrantedAudience  []string             `json:"grant_access_token_audience,omitempty"`
+	Remember         bool                 `json:"remember"`
+	RememberFor      int                  `json:"remember_for,omitempty"`
+	AuthenticatedAt  *time.Time           `json:"authenticated_at,omitempty"`
+	RequestedAt      *time.Time           `json:"requested_at,omitempty"`
+	HandledAt        *time.Time           `json:"handled_at,omitempty"`
+	Client           HydraClient          `json:"client,omitempty"`
+	ConsentRequest   *HydraConsentRequest `json:"consent_request,omitempty"`
 }

 func NewHydraAdminService() *HydraAdminService {
@@ -267,13 +271,13 @@ func (s *HydraAdminService) ListConsentSessions(ctx context.Context, subject, cl
 	}
 	defer resp.Body.Close()

+	body, _ := io.ReadAll(io.LimitReader(resp.Body, 4096))
 	if resp.StatusCode >= 300 {
-		body, _ := io.ReadAll(io.LimitReader(resp.Body, 2048))
 		return nil, fmt.Errorf("hydra admin: list consent sessions failed status=%d body=%s", resp.StatusCode, string(body))
 	}

 	var sessions []HydraConsentSession
-	if err := json.NewDecoder(resp.Body).Decode(&sessions); err != nil {
+	if err := json.Unmarshal(body, &sessions); err != nil {
 		return nil, fmt.Errorf("hydra admin: decode consent sessions failed: %w", err)
 	}
 	return sessions, nil
@@ -398,7 +402,7 @@ func (s *HydraAdminService) GetConsentRequest(ctx context.Context, challenge str
 	return &consentReq, nil
 }

-func (s *HydraAdminService) AcceptConsentRequest(ctx context.Context, challenge string, grantInfo *HydraConsentRequest) (*AcceptConsentRequestResponse, error) {
+func (s *HydraAdminService) AcceptConsentRequest(ctx context.Context, challenge string, grantInfo *HydraConsentRequest, sessionClaims map[string]any) (*AcceptConsentRequestResponse, error) {
 	params := map[string]string{
 		"consent_challenge": challenge,
 	}
@@ -413,6 +417,12 @@ func (s *HydraAdminService) AcceptConsentRequest(ctx context.Context, challenge
 		"remember":       true,
 		"remember_for":   3600,
 	}
+	if len(sessionClaims) > 0 {
+		payload["session"] = map[string]any{
+			"id_token":     sessionClaims,
+			"access_token": sessionClaims,
+		}
+	}
 	body, _ := json.Marshal(payload)

 	req, err := http.NewRequestWithContext(ctx, "PUT", endpoint, bytes.NewReader(body))
@@ -443,7 +453,6 @@ func (s *HydraAdminService) AcceptConsentRequest(ctx context.Context, challenge
 	return &AcceptConsentRequestResponse{RedirectTo: hydraResp.RedirectTo}, nil
 }

-
 func (s *HydraAdminService) AcceptLoginRequest(ctx context.Context, challenge string, subject string) (*AcceptLoginRequestResponse, error) {
 	params := map[string]string{
 		"login_challenge": challenge,