Merge remote-tracking branch 'origin/master' into fix/batch-identity-…

…insert-persists-on-failure

selfservice/flow/login/error.go

@@ -6,6 +6,8 @@ package login
 import (
 	"net/http"
 
+	"github.com/gofrs/uuid"
+
 	"go.opentelemetry.io/otel/trace"
 
 	"github.com/ory/kratos/selfservice/sessiontokenexchange"
@@ -88,12 +90,12 @@ func (s *ErrorHandler) WriteFlowError(w http.ResponseWriter, r *http.Request, f
 		Info("Encountered self-service login error.")
 
 	if f == nil {
-		trace.SpanFromContext(r.Context()).AddEvent(events.NewLoginFailed(r.Context(), "", "", false))
+		trace.SpanFromContext(r.Context()).AddEvent(events.NewLoginFailed(r.Context(), uuid.Nil, "", "", false, err))
 		s.forward(w, r, nil, err)
 		return
 	}
 
-	trace.SpanFromContext(r.Context()).AddEvent(events.NewLoginFailed(r.Context(), string(f.Type), string(f.RequestedAAL), f.Refresh))
+	trace.SpanFromContext(r.Context()).AddEvent(events.NewLoginFailed(r.Context(), f.ID, string(f.Type), string(f.RequestedAAL), f.Refresh, err))
 
 	if expired, inner := s.PrepareReplacementForExpiredFlow(w, r, f, err); inner != nil {
 		s.WriteFlowError(w, r, f, group, inner)

selfservice/flow/login/hook.go

@@ -221,6 +221,7 @@ func (e *HookExecutor) PostLoginHook(
 		span.AddEvent(events.NewLoginSucceeded(ctx, &events.LoginSucceededOpts{
 			SessionID:    s.ID,
 			IdentityID:   i.ID,
+			FlowID:       f.ID,
 			FlowType:     string(f.Type),
 			RequestedAAL: string(f.RequestedAAL),
 			IsRefresh:    f.Refresh,
@@ -262,6 +263,7 @@ func (e *HookExecutor) PostLoginHook(
 
 	span.AddEvent(events.NewLoginSucceeded(ctx, &events.LoginSucceededOpts{
 		SessionID:  s.ID,
+		FlowID:     f.ID,
 		IdentityID: i.ID, FlowType: string(f.Type), RequestedAAL: string(f.RequestedAAL), IsRefresh: f.Refresh, Method: f.Active.String(),
 		SSOProvider: provider,
 	}))

selfservice/flow/recovery/error.go

@@ -7,6 +7,8 @@ import (
 	"net/http"
 	"net/url"
 
+	"github.com/gofrs/uuid"
+
 	"go.opentelemetry.io/otel/trace"
 
 	"github.com/ory/kratos/x/events"
@@ -73,12 +75,12 @@ func (s *ErrorHandler) WriteFlowError(
 		Info("Encountered self-service recovery error.")
 
 	if f == nil {
-		trace.SpanFromContext(r.Context()).AddEvent(events.NewRecoveryFailed(r.Context(), "", ""))
+		trace.SpanFromContext(r.Context()).AddEvent(events.NewRecoveryFailed(r.Context(), uuid.Nil, "", "", recoveryErr))
 		s.forward(w, r, nil, recoveryErr)
 		return
 	}
 
-	trace.SpanFromContext(r.Context()).AddEvent(events.NewRecoveryFailed(r.Context(), string(f.Type), f.Active.String()))
+	trace.SpanFromContext(r.Context()).AddEvent(events.NewRecoveryFailed(r.Context(), f.ID, string(f.Type), f.Active.String(), recoveryErr))
 
 	if expiredError := new(flow.ExpiredError); errors.As(recoveryErr, &expiredError) {
 		strategy, err := s.d.RecoveryStrategies(r.Context()).Strategy(f.Active.String())

selfservice/flow/recovery/hook.go

@@ -105,7 +105,7 @@ func (e *HookExecutor) PostRecoveryHook(w http.ResponseWriter, r *http.Request,
 			Debug("ExecutePostRecoveryHook completed successfully.")
 	}
 
-	trace.SpanFromContext(r.Context()).AddEvent(events.NewRecoverySucceeded(r.Context(), s.Identity.ID, string(a.Type), a.Active.String()))
+	trace.SpanFromContext(r.Context()).AddEvent(events.NewRecoverySucceeded(r.Context(), a.ID, s.Identity.ID, string(a.Type), a.Active.String()))
 
 	logger.Debug("Post recovery execution hooks completed successfully.")
 

selfservice/flow/registration/error.go

@@ -6,6 +6,8 @@ package registration
 import (
 	"net/http"
 
+	"github.com/gofrs/uuid"
+
 	"go.opentelemetry.io/otel/trace"
 
 	"github.com/ory/kratos/identity"
@@ -93,11 +95,11 @@ func (s *ErrorHandler) WriteFlowError(
 		Info("Encountered self-service flow error.")
 
 	if f == nil {
-		trace.SpanFromContext(r.Context()).AddEvent(events.NewRegistrationFailed(r.Context(), "", ""))
+		trace.SpanFromContext(r.Context()).AddEvent(events.NewRegistrationFailed(r.Context(), uuid.Nil, "", "", err))
 		s.forward(w, r, nil, err)
 		return
 	}
-	trace.SpanFromContext(r.Context()).AddEvent(events.NewRegistrationFailed(r.Context(), string(f.Type), f.Active.String()))
+	trace.SpanFromContext(r.Context()).AddEvent(events.NewRegistrationFailed(r.Context(), f.ID, string(f.Type), f.Active.String(), err))
 
 	if expired, inner := s.PrepareReplacementForExpiredFlow(w, r, f, err); inner != nil {
 		s.forward(w, r, f, err)

selfservice/flow/registration/hook.go

@@ -213,7 +213,7 @@ func (e *HookExecutor) PostRegistrationHook(w http.ResponseWriter, r *http.Reque
 		WithField("identity_id", i.ID).
 		Info("A new identity has registered using self-service registration.")
 
-	span.AddEvent(events.NewRegistrationSucceeded(ctx, i.ID, string(registrationFlow.Type), registrationFlow.Active.String(), provider))
+	span.AddEvent(events.NewRegistrationSucceeded(ctx, registrationFlow.ID, i.ID, string(registrationFlow.Type), registrationFlow.Active.String(), provider))
 
 	s := session.NewInactiveSession()
 

selfservice/flow/settings/error.go

@@ -8,6 +8,8 @@ import (
 	"net/http"
 	"net/url"
 
+	"github.com/gofrs/uuid"
+
 	"github.com/ory/x/otelx"
 
 	"go.opentelemetry.io/otel/trace"
@@ -180,11 +182,11 @@ func (s *ErrorHandler) WriteFlowError(
 	}
 
 	if f == nil {
-		trace.SpanFromContext(ctx).AddEvent(events.NewSettingsFailed(ctx, "", ""))
+		trace.SpanFromContext(ctx).AddEvent(events.NewSettingsFailed(ctx, uuid.Nil, "", "", err))
 		s.forward(ctx, w, r, nil, err)
 		return
 	}
-	trace.SpanFromContext(ctx).AddEvent(events.NewSettingsFailed(ctx, string(f.Type), f.Active.String()))
+	trace.SpanFromContext(ctx).AddEvent(events.NewSettingsFailed(ctx, f.ID, string(f.Type), f.Active.String(), err))
 
 	if expired, inner := s.PrepareReplacementForExpiredFlow(ctx, w, r, f, id, err); inner != nil {
 		s.forward(ctx, w, r, f, err)

selfservice/flow/settings/hook.go

@@ -285,7 +285,7 @@ func (e *HookExecutor) PostSettingsHook(ctx context.Context, w http.ResponseWrit
 		Debug("Completed all PostSettingsPrePersistHooks and PostSettingsPostPersistHooks.")
 
 	trace.SpanFromContext(ctx).AddEvent(events.NewSettingsSucceeded(
-		ctx, i.ID, string(ctxUpdate.Flow.Type), settingsType))
+		ctx, ctxUpdate.Flow.ID, i.ID, string(ctxUpdate.Flow.Type), settingsType))
 
 	if ctxUpdate.Flow.Type == flow.TypeAPI {
 		updatedFlow, err := e.d.SettingsFlowPersister().GetSettingsFlow(ctx, ctxUpdate.Flow.ID)

selfservice/flow/verification/error.go

@@ -7,6 +7,8 @@ import (
 	"net/http"
 	"net/url"
 
+	"github.com/gofrs/uuid"
+
 	"go.opentelemetry.io/otel/trace"
 
 	"github.com/ory/kratos/x/events"
@@ -69,11 +71,11 @@ func (s *ErrorHandler) WriteFlowError(
 		Info("Encountered self-service verification error.")
 
 	if f == nil {
-		trace.SpanFromContext(r.Context()).AddEvent(events.NewVerificationFailed(r.Context(), "", ""))
+		trace.SpanFromContext(r.Context()).AddEvent(events.NewVerificationFailed(r.Context(), uuid.Nil, "", "", err))
 		s.forward(w, r, nil, err)
 		return
 	}
-	trace.SpanFromContext(r.Context()).AddEvent(events.NewVerificationFailed(r.Context(), string(f.Type), f.Active.String()))
+	trace.SpanFromContext(r.Context()).AddEvent(events.NewVerificationFailed(r.Context(), f.ID, string(f.Type), f.Active.String(), err))
 
 	if e := new(flow.ExpiredError); errors.As(err, &e) {
 		strategy, err := s.d.VerificationStrategies(r.Context()).Strategy(f.Active.String())

selfservice/flow/verification/hook.go

@@ -112,7 +112,7 @@ func (e *HookExecutor) PostVerificationHook(w http.ResponseWriter, r *http.Reque
 			Debug("ExecutePostVerificationHook completed successfully.")
 	}
 
-	trace.SpanFromContext(r.Context()).AddEvent(events.NewVerificationSucceeded(r.Context(), i.ID, string(a.Type), a.Active.String()))
+	trace.SpanFromContext(r.Context()).AddEvent(events.NewVerificationSucceeded(r.Context(), a.ID, i.ID, string(a.Type), a.Active.String()))
 
 	e.d.Logger().
 		WithRequest(r).

selfservice/hook/session_issuer.go

@@ -75,6 +75,7 @@ func (e *SessionIssuer) executePostRegistrationPostPersistHook(w http.ResponseWr
 		trace.SpanFromContext(r.Context()).AddEvent(events.NewLoginSucceeded(r.Context(), &events.LoginSucceededOpts{
 			SessionID:  s.ID,
 			IdentityID: s.Identity.ID,
+			FlowID:     a.ID,
 			FlowType:   string(a.Type),
 			Method:     a.Active.String(),
 		}))
@@ -90,6 +91,7 @@ func (e *SessionIssuer) executePostRegistrationPostPersistHook(w http.ResponseWr
 	trace.SpanFromContext(r.Context()).AddEvent(events.NewLoginSucceeded(r.Context(), &events.LoginSucceededOpts{
 		SessionID:  s.ID,
 		IdentityID: s.Identity.ID,
+		FlowID:     a.ID,
 		FlowType:   string(a.Type),
 		Method:     a.Active.String(),
 	}))

x/events/events.go

@@ -5,13 +5,16 @@ package events
 
 import (
 	"context"
+	"errors"
 	"net/url"
 	"time"
 
 	"github.com/gofrs/uuid"
 	otelattr "go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
 
+	"github.com/ory/herodot"
+	"github.com/ory/kratos/schema"
 	"github.com/ory/x/otelx/semconv"
 )
 
@@ -56,6 +59,8 @@ const (
 	attributeKeyWebhookResponseStatusCode       semconv.AttributeKey = "WebhookResponseStatusCode"
 	attributeKeyWebhookAttemptNumber            semconv.AttributeKey = "WebhookAttemptNumber"
 	attributeKeyWebhookRequestID                semconv.AttributeKey = "WebhookRequestID"
+	attributeKeyReason                          semconv.AttributeKey = "Reason"
+	attributeKeyFlowID                          semconv.AttributeKey = "FlowID"
 )
 
 func attrSessionID(val uuid.UUID) otelattr.KeyValue {
@@ -118,6 +123,14 @@ func attrWebhookRequestID(id uuid.UUID) otelattr.KeyValue {
 	return otelattr.String(attributeKeyWebhookRequestID.String(), id.String())
 }
 
+func attrReason(err error) otelattr.KeyValue {
+	return otelattr.String(attributeKeyReason.String(), reasonForError(err))
+}
+
+func attrFlowID(id uuid.UUID) otelattr.KeyValue {
+	return otelattr.String(attributeKeyFlowID.String(), id.String())
+}
+
 func NewSessionIssued(ctx context.Context, aal string, sessionID, identityID uuid.UUID) (string, trace.EventOption) {
 	return SessionIssued.String(),
 		trace.WithAttributes(
@@ -155,7 +168,7 @@ func NewSessionLifespanExtended(ctx context.Context, sessionID, identityID uuid.
 }
 
 type LoginSucceededOpts struct {
-	SessionID, IdentityID                       uuid.UUID
+	SessionID, IdentityID, FlowID               uuid.UUID
 	FlowType, RequestedAAL, Method, SSOProvider string
 	IsRefresh                                   bool
 }
@@ -172,84 +185,97 @@ func NewLoginSucceeded(ctx context.Context, o *LoginSucceededOpts) (string, trac
 				attLoginRequestedPrivilegedSession(o.IsRefresh),
 				attrSelfServiceMethodUsed(o.Method),
 				attrSelfServiceSSOProviderUsed(o.SSOProvider),
+				attrFlowID(o.FlowID),
 			)...,
 		)
 }
 
-func NewRegistrationSucceeded(ctx context.Context, identityID uuid.UUID, flowType string, method, provider string) (string, trace.EventOption) {
+func NewRegistrationSucceeded(ctx context.Context, flowID, identityID uuid.UUID, flowType, method, provider string) (string, trace.EventOption) {
 	return RegistrationSucceeded.String(),
 		trace.WithAttributes(append(
 			semconv.AttributesFromContext(ctx),
 			attrSelfServiceFlowType(flowType),
 			semconv.AttrIdentityID(identityID),
 			attrSelfServiceMethodUsed(method),
 			attrSelfServiceSSOProviderUsed(provider),
+			attrFlowID(flowID),
 		)...)
 }
 
-func NewRecoverySucceeded(ctx context.Context, identityID uuid.UUID, flowType string, method string) (string, trace.EventOption) {
+func NewRecoverySucceeded(ctx context.Context, flowID, identityID uuid.UUID, flowType, method string) (string, trace.EventOption) {
 	return RecoverySucceeded.String(),
 		trace.WithAttributes(append(
 			semconv.AttributesFromContext(ctx),
 			attrSelfServiceFlowType(flowType),
 			semconv.AttrIdentityID(identityID),
 			attrSelfServiceMethodUsed(method),
+			attrFlowID(flowID),
 		)...)
 }
 
-func NewSettingsSucceeded(ctx context.Context, identityID uuid.UUID, flowType string, method string) (string, trace.EventOption) {
+func NewSettingsSucceeded(ctx context.Context, flowID, identityID uuid.UUID, flowType, method string) (string, trace.EventOption) {
 	return SettingsSucceeded.String(),
 		trace.WithAttributes(append(
 			semconv.AttributesFromContext(ctx),
 			attrSelfServiceFlowType(flowType),
 			semconv.AttrIdentityID(identityID),
 			attrSelfServiceMethodUsed(method),
+			attrFlowID(flowID),
 		)...)
 }
 
-func NewVerificationSucceeded(ctx context.Context, identityID uuid.UUID, flowType string, method string) (string, trace.EventOption) {
+func NewVerificationSucceeded(ctx context.Context, flowID, identityID uuid.UUID, flowType, method string) (string, trace.EventOption) {
 	return VerificationSucceeded.String(),
 		trace.WithAttributes(append(
 			semconv.AttributesFromContext(ctx),
 			attrSelfServiceMethodUsed(method),
 			attrSelfServiceFlowType(flowType),
 			semconv.AttrIdentityID(identityID),
+			attrFlowID(flowID),
 		)...)
 }
 
-func NewRegistrationFailed(ctx context.Context, flowType string, method string) (string, trace.EventOption) {
+func NewRegistrationFailed(ctx context.Context, flowID uuid.UUID, flowType, method string, err error) (string, trace.EventOption) {
 	return RegistrationFailed.String(),
 		trace.WithAttributes(append(
 			semconv.AttributesFromContext(ctx),
 			attrSelfServiceFlowType(flowType),
 			attrSelfServiceMethodUsed(method),
+			attrReason(err),
+			attrFlowID(flowID),
 		)...)
 }
 
-func NewRecoveryFailed(ctx context.Context, flowType string, method string) (string, trace.EventOption) {
+func NewRecoveryFailed(ctx context.Context, flowID uuid.UUID, flowType, method string, err error) (string, trace.EventOption) {
 	return RecoveryFailed.String(),
 		trace.WithAttributes(append(
 			semconv.AttributesFromContext(ctx),
 			attrSelfServiceFlowType(flowType),
 			attrSelfServiceMethodUsed(method),
+			attrReason(err),
+			attrFlowID(flowID),
 		)...)
 }
 
-func NewSettingsFailed(ctx context.Context, flowType string, method string) (string, trace.EventOption) {
+func NewSettingsFailed(ctx context.Context, flowID uuid.UUID, flowType, method string, err error) (string, trace.EventOption) {
 	return SettingsFailed.String(),
 		trace.WithAttributes(append(
 			semconv.AttributesFromContext(ctx),
 			attrSelfServiceFlowType(flowType),
 			attrSelfServiceMethodUsed(method),
+			attrReason(err),
+			attrFlowID(flowID),
 		)...)
 }
 
-func NewVerificationFailed(ctx context.Context, flowType string, method string) (string, trace.EventOption) {
+func NewVerificationFailed(ctx context.Context, flowID uuid.UUID, flowType, method string, err error) (string, trace.EventOption) {
 	return VerificationFailed.String(),
 		trace.WithAttributes(append(
 			semconv.AttributesFromContext(ctx),
 			attrSelfServiceFlowType(flowType),
 			attrSelfServiceMethodUsed(method),
+			attrReason(err),
+			attrFlowID(flowID),
 		)...)
 }
 
@@ -283,13 +309,15 @@ func NewIdentityUpdated(ctx context.Context, identityID uuid.UUID) (string, trac
 		)
 }
 
-func NewLoginFailed(ctx context.Context, flowType string, requestedAAL string, isRefresh bool) (string, trace.EventOption) {
+func NewLoginFailed(ctx context.Context, flowID uuid.UUID, flowType, requestedAAL string, isRefresh bool, err error) (string, trace.EventOption) {
 	return LoginFailed.String(),
 		trace.WithAttributes(append(
 			semconv.AttributesFromContext(ctx),
 			attrSelfServiceFlowType(flowType),
 			attLoginRequestedAAL(requestedAAL),
 			attLoginRequestedPrivilegedSession(isRefresh),
+			attrReason(err),
+			attrFlowID(flowID),
 		)...)
 }
 
@@ -356,3 +384,13 @@ func NewWebhookFailed(ctx context.Context, err error) (string, trace.EventOption
 			)...,
 		)
 }
+
+func reasonForError(err error) string {
+	if ve := new(schema.ValidationError); errors.As(err, &ve) {
+		return ve.Message
+	}
+	if r := *new(herodot.ReasonCarrier); errors.As(err, &r) {
+		return r.Reason()
+	}
+	return err.Error()
+}