mirrors/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel synced 2024-11-22 18:44:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
c3862245a9
zitadel/internal/integration/oidc.go

355 lines
13 KiB
Go
Raw Normal View History

feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
package integration
import (
"context"
"fmt"
test: no location header in response (#8441) # Which Problems Are Solved Sometimes integrations tests are failing with an error `http: no location header in response`. The underlying cause was hidden, as in some tests we assumed a 3xx range response but got a 4xx response instead. No assertion on the status code was made, resulting in the above error message on calling `resp.Location()`. The underlying issue, the application not found in the projection, is also fixed. # How the Problems Are Solved This change adds a check for the status code and returns the response body if the response is not in the 3xx status code range. Helper function that create applications now do an additional `GetAppByID` in a retry loop to ensure consitency in the projection before proceeding with tests. # Additional Changes - none # Additional Context - Pipline failures were observed, no issue was created - Cherry-picked form WIP #8407 Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-08-17 14:48:06 +00:00
"io"
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
"net/http"
"net/url"
"strings"
"time"
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
"github.com/brianvoe/gofakeit/v6"
chore(deps): upgrade to oidc v3 (#6737) This pr upgrades oidc to v3 . Function signature changes have been migrated as well. Specifically there are more client calls that take a context now. Where feasable a context is added to those calls. Where a context is not (easily) available context.TODO() is used as a reminder for when it does. Related to #6619
2023-10-17 15:19:51 +00:00
"github.com/zitadel/oidc/v3/pkg/client"
"github.com/zitadel/oidc/v3/pkg/client/rp"
"github.com/zitadel/oidc/v3/pkg/client/rs"
"github.com/zitadel/oidc/v3/pkg/oidc"
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
"google.golang.org/protobuf/types/known/timestamppb"
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
http_util "github.com/zitadel/zitadel/internal/api/http"
oidc_internal "github.com/zitadel/zitadel/internal/api/oidc"
"github.com/zitadel/zitadel/pkg/grpc/app"
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
"github.com/zitadel/zitadel/pkg/grpc/authn"
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
"github.com/zitadel/zitadel/pkg/grpc/management"
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
"github.com/zitadel/zitadel/pkg/grpc/user"
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
)
feat(oidc): token exchange impersonation (#7516) * add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2024-03-20 10:18:46 +00:00
func (s *Tester) CreateOIDCClient(ctx context.Context, redirectURI, logoutRedirectURI, projectID string, appType app.OIDCAppType, authMethod app.OIDCAuthMethodType, devMode bool, grantTypes ...app.OIDCGrantType) (*management.AddOIDCAppResponse, error) {
if len(grantTypes) == 0 {
grantTypes = []app.OIDCGrantType{app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE, app.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN}
}
test: no location header in response (#8441) # Which Problems Are Solved Sometimes integrations tests are failing with an error `http: no location header in response`. The underlying cause was hidden, as in some tests we assumed a 3xx range response but got a 4xx response instead. No assertion on the status code was made, resulting in the above error message on calling `resp.Location()`. The underlying issue, the application not found in the projection, is also fixed. # How the Problems Are Solved This change adds a check for the status code and returns the response body if the response is not in the 3xx status code range. Helper function that create applications now do an additional `GetAppByID` in a retry loop to ensure consitency in the projection before proceeding with tests. # Additional Changes - none # Additional Context - Pipline failures were observed, no issue was created - Cherry-picked form WIP #8407 Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-08-17 14:48:06 +00:00
resp, err := s.Client.Mgmt.AddOIDCApp(ctx, &management.AddOIDCAppRequest{
feat(API): support V2 token and session token usage (#6180) This PR adds support for userinfo and introspection of V2 tokens. Further V2 access tokens and session tokens can be used for authentication on the ZITADEL API (like the current access tokens).
2023-07-14 11:16:16 +00:00
ProjectId: projectID,
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
Name: fmt.Sprintf("app-%d", time.Now().UnixNano()),
RedirectUris: []string{redirectURI},
ResponseTypes: []app.OIDCResponseType{app.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE},
feat(oidc): token exchange impersonation (#7516) * add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2024-03-20 10:18:46 +00:00
GrantTypes: grantTypes,
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
AppType: appType,
AuthMethodType: authMethod,
feat(OIDC): add support for end_session for V2 tokens (#6226) This PR adds support for the OIDC end_session_endpoint for V2 tokens. Sending an id_token_hint as parameter will directly terminate the underlying (SSO) session and all its tokens. Without this param, the user will be redirected to the Login UI, where he will able to choose if to logout.
2023-07-19 11:17:39 +00:00
PostLogoutRedirectUris: []string{logoutRedirectURI},
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
Version: app.OIDCVersion_OIDC_VERSION_1_0,
feat: allow glob redirects (#7091) fixes #5110
2023-12-28 09:25:18 +00:00
DevMode: devMode,
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
AccessTokenType: app.OIDCTokenType_OIDC_TOKEN_TYPE_JWT,
AccessTokenRoleAssertion: false,
IdTokenRoleAssertion: false,
IdTokenUserinfoAssertion: false,
ClockSkew: nil,
AdditionalOrigins: nil,
SkipNativeAppSuccessPage: false,
})
test: no location header in response (#8441) # Which Problems Are Solved Sometimes integrations tests are failing with an error `http: no location header in response`. The underlying cause was hidden, as in some tests we assumed a 3xx range response but got a 4xx response instead. No assertion on the status code was made, resulting in the above error message on calling `resp.Location()`. The underlying issue, the application not found in the projection, is also fixed. # How the Problems Are Solved This change adds a check for the status code and returns the response body if the response is not in the 3xx status code range. Helper function that create applications now do an additional `GetAppByID` in a retry loop to ensure consitency in the projection before proceeding with tests. # Additional Changes - none # Additional Context - Pipline failures were observed, no issue was created - Cherry-picked form WIP #8407 Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-08-17 14:48:06 +00:00
if err != nil {
return nil, err
}
return resp, await(func() error {
_, err := s.Client.Mgmt.GetAppByID(ctx, &management.GetAppByIDRequest{
ProjectId: projectID,
AppId: resp.GetAppId(),
})
return err
})
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
}
feat: allow glob redirects (#7091) fixes #5110
2023-12-28 09:25:18 +00:00
func (s *Tester) CreateOIDCNativeClient(ctx context.Context, redirectURI, logoutRedirectURI, projectID string, devMode bool) (*management.AddOIDCAppResponse, error) {
return s.CreateOIDCClient(ctx, redirectURI, logoutRedirectURI, projectID, app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, devMode)
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
}
func (s *Tester) CreateOIDCWebClientBasic(ctx context.Context, redirectURI, logoutRedirectURI, projectID string) (*management.AddOIDCAppResponse, error) {
feat: allow glob redirects (#7091) fixes #5110
2023-12-28 09:25:18 +00:00
return s.CreateOIDCClient(ctx, redirectURI, logoutRedirectURI, projectID, app.OIDCAppType_OIDC_APP_TYPE_WEB, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC, false)
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
}
feat(oidc): token exchange impersonation (#7516) * add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2024-03-20 10:18:46 +00:00
func (s *Tester) CreateOIDCWebClientJWT(ctx context.Context, redirectURI, logoutRedirectURI, projectID string, grantTypes ...app.OIDCGrantType) (client *management.AddOIDCAppResponse, keyData []byte, err error) {
client, err = s.CreateOIDCClient(ctx, redirectURI, logoutRedirectURI, projectID, app.OIDCAppType_OIDC_APP_TYPE_WEB, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT, false, grantTypes...)
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
if err != nil {
return nil, nil, err
}
key, err := s.Client.Mgmt.AddAppKey(ctx, &management.AddAppKeyRequest{
ProjectId: projectID,
AppId: client.GetAppId(),
Type: authn.KeyType_KEY_TYPE_JSON,
ExpirationDate: timestamppb.New(time.Now().Add(time.Hour)),
})
if err != nil {
return nil, nil, err
}
return client, key.GetKeyDetails(), nil
}
func (s *Tester) CreateOIDCInactivateClient(ctx context.Context, redirectURI, logoutRedirectURI, projectID string) (*management.AddOIDCAppResponse, error) {
feat: allow glob redirects (#7091) fixes #5110
2023-12-28 09:25:18 +00:00
client, err := s.CreateOIDCNativeClient(ctx, redirectURI, logoutRedirectURI, projectID, false)
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
if err != nil {
return nil, err
}
_, err = s.Client.Mgmt.DeactivateApp(ctx, &management.DeactivateAppRequest{
ProjectId: projectID,
AppId: client.GetAppId(),
})
if err != nil {
return nil, err
}
return client, err
}
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
func (s *Tester) CreateOIDCImplicitFlowClient(ctx context.Context, redirectURI string) (*management.AddOIDCAppResponse, error) {
project, err := s.Client.Mgmt.AddProject(ctx, &management.AddProjectRequest{
Name: fmt.Sprintf("project-%d", time.Now().UnixNano()),
})
if err != nil {
return nil, err
}
test: no location header in response (#8441) # Which Problems Are Solved Sometimes integrations tests are failing with an error `http: no location header in response`. The underlying cause was hidden, as in some tests we assumed a 3xx range response but got a 4xx response instead. No assertion on the status code was made, resulting in the above error message on calling `resp.Location()`. The underlying issue, the application not found in the projection, is also fixed. # How the Problems Are Solved This change adds a check for the status code and returns the response body if the response is not in the 3xx status code range. Helper function that create applications now do an additional `GetAppByID` in a retry loop to ensure consitency in the projection before proceeding with tests. # Additional Changes - none # Additional Context - Pipline failures were observed, no issue was created - Cherry-picked form WIP #8407 Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-08-17 14:48:06 +00:00
resp, err := s.Client.Mgmt.AddOIDCApp(ctx, &management.AddOIDCAppRequest{
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
ProjectId: project.GetId(),
Name: fmt.Sprintf("app-%d", time.Now().UnixNano()),
RedirectUris: []string{redirectURI},
ResponseTypes: []app.OIDCResponseType{app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN},
GrantTypes: []app.OIDCGrantType{app.OIDCGrantType_OIDC_GRANT_TYPE_IMPLICIT},
AppType: app.OIDCAppType_OIDC_APP_TYPE_USER_AGENT,
AuthMethodType: app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE,
PostLogoutRedirectUris: nil,
Version: app.OIDCVersion_OIDC_VERSION_1_0,
DevMode: true,
AccessTokenType: app.OIDCTokenType_OIDC_TOKEN_TYPE_JWT,
AccessTokenRoleAssertion: false,
IdTokenRoleAssertion: false,
IdTokenUserinfoAssertion: false,
ClockSkew: nil,
AdditionalOrigins: nil,
SkipNativeAppSuccessPage: false,
})
test: no location header in response (#8441) # Which Problems Are Solved Sometimes integrations tests are failing with an error `http: no location header in response`. The underlying cause was hidden, as in some tests we assumed a 3xx range response but got a 4xx response instead. No assertion on the status code was made, resulting in the above error message on calling `resp.Location()`. The underlying issue, the application not found in the projection, is also fixed. # How the Problems Are Solved This change adds a check for the status code and returns the response body if the response is not in the 3xx status code range. Helper function that create applications now do an additional `GetAppByID` in a retry loop to ensure consitency in the projection before proceeding with tests. # Additional Changes - none # Additional Context - Pipline failures were observed, no issue was created - Cherry-picked form WIP #8407 Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-08-17 14:48:06 +00:00
if err != nil {
return nil, err
}
return resp, await(func() error {
_, err := s.Client.Mgmt.GetAppByID(ctx, &management.GetAppByIDRequest{
ProjectId: project.GetId(),
AppId: resp.GetAppId(),
})
return err
})
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
}
feat(oidc): token exchange impersonation (#7516) * add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers
2024-03-20 10:18:46 +00:00
func (s *Tester) CreateOIDCTokenExchangeClient(ctx context.Context) (client *management.AddOIDCAppResponse, keyData []byte, err error) {
project, err := s.Client.Mgmt.AddProject(ctx, &management.AddProjectRequest{
Name: fmt.Sprintf("project-%d", time.Now().UnixNano()),
})
if err != nil {
return nil, nil, err
}
return s.CreateOIDCWebClientJWT(ctx, "", "", project.GetId(), app.OIDCGrantType_OIDC_GRANT_TYPE_TOKEN_EXCHANGE, app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE, app.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN)
}
feat(API): support V2 token and session token usage (#6180) This PR adds support for userinfo and introspection of V2 tokens. Further V2 access tokens and session tokens can be used for authentication on the ZITADEL API (like the current access tokens).
2023-07-14 11:16:16 +00:00
func (s *Tester) CreateProject(ctx context.Context) (*management.AddProjectResponse, error) {
return s.Client.Mgmt.AddProject(ctx, &management.AddProjectRequest{
Name: fmt.Sprintf("project-%d", time.Now().UnixNano()),
})
}
fix(oidc): nil check for client secret (#7115) This fixes a nil pointer panic when client basic auth is attempted on a client without secret in introspection.
2023-12-28 13:31:41 +00:00
func (s *Tester) CreateAPIClientJWT(ctx context.Context, projectID string) (*management.AddAPIAppResponse, error) {
feat(API): support V2 token and session token usage (#6180) This PR adds support for userinfo and introspection of V2 tokens. Further V2 access tokens and session tokens can be used for authentication on the ZITADEL API (like the current access tokens).
2023-07-14 11:16:16 +00:00
return s.Client.Mgmt.AddAPIApp(ctx, &management.AddAPIAppRequest{
ProjectId: projectID,
Name: fmt.Sprintf("api-%d", time.Now().UnixNano()),
AuthMethodType: app.APIAuthMethodType_API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT,
})
}
fix(oidc): nil check for client secret (#7115) This fixes a nil pointer panic when client basic auth is attempted on a client without secret in introspection.
2023-12-28 13:31:41 +00:00
func (s *Tester) CreateAPIClientBasic(ctx context.Context, projectID string) (*management.AddAPIAppResponse, error) {
return s.Client.Mgmt.AddAPIApp(ctx, &management.AddAPIAppRequest{
ProjectId: projectID,
Name: fmt.Sprintf("api-%d", time.Now().UnixNano()),
AuthMethodType: app.APIAuthMethodType_API_AUTH_METHOD_TYPE_BASIC,
})
}
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
const CodeVerifier = "codeVerifier"
chore(deps): upgrade to oidc v3 (#6737) This pr upgrades oidc to v3 . Function signature changes have been migrated as well. Specifically there are more client calls that take a context now. Where feasable a context is added to those calls. Where a context is not (easily) available context.TODO() is used as a reminder for when it does. Related to #6619
2023-10-17 15:19:51 +00:00
func (s *Tester) CreateOIDCAuthRequest(ctx context.Context, clientID, loginClient, redirectURI string, scope ...string) (authRequestID string, err error) {
fix: consider oidc session events for authN milestones (#8089) # Which Problems Are Solved After migrating the access token events in #7822, milestones based on authentication, resp. theses events would not be reached. # How the Problems Are Solved Additionally use the `oidc_session.Added` event to check for `milestone.AuthenticationSucceededOnInstance` and `milestone.AuthenticationSucceededOnApplication`. # Additional Changes None. # Additional Context - relates to #7822 - noticed internally
2024-06-12 04:49:14 +00:00
return s.CreateOIDCAuthRequestWithDomain(ctx, s.Config.ExternalDomain, clientID, loginClient, redirectURI, scope...)
}
func (s *Tester) CreateOIDCAuthRequestWithDomain(ctx context.Context, domain, clientID, loginClient, redirectURI string, scope ...string) (authRequestID string, err error) {
provider, err := s.CreateRelyingPartyForDomain(ctx, domain, clientID, redirectURI, scope...)
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
if err != nil {
return "", err
}
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
codeChallenge := oidc.NewSHACodeChallenge(CodeVerifier)
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
authURL := rp.AuthURL("state", provider, rp.WithCodeChallenge(codeChallenge))
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 09:26:14 +00:00
req, err := GetRequest(authURL, map[string]string{oidc_internal.LoginClientHeader: loginClient})
if err != nil {
return "", err
}
loc, err := CheckRedirect(req)
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
if err != nil {
return "", err
}
prefixWithHost := provider.Issuer() + s.Config.OIDC.DefaultLoginURLV2
if !strings.HasPrefix(loc.String(), prefixWithHost) {
return "", fmt.Errorf("login location has not prefix %s, but is %s", prefixWithHost, loc.String())
}
return strings.TrimPrefix(loc.String(), prefixWithHost), nil
}
chore(deps): upgrade to oidc v3 (#6737) This pr upgrades oidc to v3 . Function signature changes have been migrated as well. Specifically there are more client calls that take a context now. Where feasable a context is added to those calls. Where a context is not (easily) available context.TODO() is used as a reminder for when it does. Related to #6619
2023-10-17 15:19:51 +00:00
func (s *Tester) CreateOIDCAuthRequestImplicit(ctx context.Context, clientID, loginClient, redirectURI string, scope ...string) (authRequestID string, err error) {
provider, err := s.CreateRelyingParty(ctx, clientID, redirectURI, scope...)
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
if err != nil {
return "", err
}
authURL := rp.AuthURL("state", provider)
// implicit is not natively supported so let's just overwrite the response type
parsed, _ := url.Parse(authURL)
queries := parsed.Query()
queries.Set("response_type", string(oidc.ResponseTypeIDToken))
parsed.RawQuery = queries.Encode()
authURL = parsed.String()
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 09:26:14 +00:00
req, err := GetRequest(authURL, map[string]string{oidc_internal.LoginClientHeader: loginClient})
if err != nil {
return "", err
}
loc, err := CheckRedirect(req)
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
if err != nil {
return "", err
}
prefixWithHost := provider.Issuer() + s.Config.OIDC.DefaultLoginURLV2
if !strings.HasPrefix(loc.String(), prefixWithHost) {
return "", fmt.Errorf("login location has not prefix %s, but is %s", prefixWithHost, loc.String())
}
return strings.TrimPrefix(loc.String(), prefixWithHost), nil
}
feat(API): support V2 token and session token usage (#6180) This PR adds support for userinfo and introspection of V2 tokens. Further V2 access tokens and session tokens can be used for authentication on the ZITADEL API (like the current access tokens).
2023-07-14 11:16:16 +00:00
func (s *Tester) OIDCIssuer() string {
return http_util.BuildHTTP(s.Config.ExternalDomain, s.Config.Port, s.Config.ExternalSecure)
}
chore(deps): upgrade to oidc v3 (#6737) This pr upgrades oidc to v3 . Function signature changes have been migrated as well. Specifically there are more client calls that take a context now. Where feasable a context is added to those calls. Where a context is not (easily) available context.TODO() is used as a reminder for when it does. Related to #6619
2023-10-17 15:19:51 +00:00
func (s *Tester) CreateRelyingParty(ctx context.Context, clientID, redirectURI string, scope ...string) (rp.RelyingParty, error) {
fix: consider oidc session events for authN milestones (#8089) # Which Problems Are Solved After migrating the access token events in #7822, milestones based on authentication, resp. theses events would not be reached. # How the Problems Are Solved Additionally use the `oidc_session.Added` event to check for `milestone.AuthenticationSucceededOnInstance` and `milestone.AuthenticationSucceededOnApplication`. # Additional Changes None. # Additional Context - relates to #7822 - noticed internally
2024-06-12 04:49:14 +00:00
return s.CreateRelyingPartyForDomain(ctx, s.Config.ExternalDomain, clientID, redirectURI, scope...)
}
func (s *Tester) CreateRelyingPartyForDomain(ctx context.Context, domain, clientID, redirectURI string, scope ...string) (rp.RelyingParty, error) {
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
if len(scope) == 0 {
scope = []string{oidc.ScopeOpenID}
}
feat(OIDC): add support for end_session for V2 tokens (#6226) This PR adds support for the OIDC end_session_endpoint for V2 tokens. Sending an id_token_hint as parameter will directly terminate the underlying (SSO) session and all its tokens. Without this param, the user will be redirected to the Login UI, where he will able to choose if to logout.
2023-07-19 11:17:39 +00:00
loginClient := &http.Client{Transport: &loginRoundTripper{http.DefaultTransport}}
fix: consider oidc session events for authN milestones (#8089) # Which Problems Are Solved After migrating the access token events in #7822, milestones based on authentication, resp. theses events would not be reached. # How the Problems Are Solved Additionally use the `oidc_session.Added` event to check for `milestone.AuthenticationSucceededOnInstance` and `milestone.AuthenticationSucceededOnApplication`. # Additional Changes None. # Additional Context - relates to #7822 - noticed internally
2024-06-12 04:49:14 +00:00
return rp.NewRelyingPartyOIDC(ctx, http_util.BuildHTTP(domain, s.Config.Port, s.Config.ExternalSecure), clientID, "", redirectURI, scope, rp.WithHTTPClient(loginClient))
feat(OIDC): add support for end_session for V2 tokens (#6226) This PR adds support for the OIDC end_session_endpoint for V2 tokens. Sending an id_token_hint as parameter will directly terminate the underlying (SSO) session and all its tokens. Without this param, the user will be redirected to the Login UI, where he will able to choose if to logout.
2023-07-19 11:17:39 +00:00
}
type loginRoundTripper struct {
http.RoundTripper
}
func (c *loginRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
req.Header.Set(oidc_internal.LoginClientHeader, LoginUser)
return c.RoundTripper.RoundTrip(req)
feat(API): support V2 token and session token usage (#6180) This PR adds support for userinfo and introspection of V2 tokens. Further V2 access tokens and session tokens can be used for authentication on the ZITADEL API (like the current access tokens).
2023-07-14 11:16:16 +00:00
}
fix(oidc): nil check for client secret (#7115) This fixes a nil pointer panic when client basic auth is attempted on a client without secret in introspection.
2023-12-28 13:31:41 +00:00
func (s *Tester) CreateResourceServerJWTProfile(ctx context.Context, keyFileData []byte) (rs.ResourceServer, error) {
feat(API): support V2 token and session token usage (#6180) This PR adds support for userinfo and introspection of V2 tokens. Further V2 access tokens and session tokens can be used for authentication on the ZITADEL API (like the current access tokens).
2023-07-14 11:16:16 +00:00
keyFile, err := client.ConfigFromKeyFileData(keyFileData)
if err != nil {
return nil, err
}
chore(deps): upgrade to oidc v3 (#6737) This pr upgrades oidc to v3 . Function signature changes have been migrated as well. Specifically there are more client calls that take a context now. Where feasable a context is added to those calls. Where a context is not (easily) available context.TODO() is used as a reminder for when it does. Related to #6619
2023-10-17 15:19:51 +00:00
return rs.NewResourceServerJWTProfile(ctx, s.OIDCIssuer(), keyFile.ClientID, keyFile.KeyID, []byte(keyFile.Key))
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
}
fix(oidc): nil check for client secret (#7115) This fixes a nil pointer panic when client basic auth is attempted on a client without secret in introspection.
2023-12-28 13:31:41 +00:00
func (s *Tester) CreateResourceServerClientCredentials(ctx context.Context, clientID, clientSecret string) (rs.ResourceServer, error) {
return rs.NewResourceServerClientCredentials(ctx, s.OIDCIssuer(), clientID, clientSecret)
}
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 09:26:14 +00:00
func GetRequest(url string, headers map[string]string) (*http.Request, error) {
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
req, err := http.NewRequest(http.MethodGet, url, nil)
if err != nil {
return nil, err
}
for key, value := range headers {
req.Header.Set(key, value)
}
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 09:26:14 +00:00
return req, nil
}
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
chore(ci): merge test runs (#7388) * chore(ci): merge test runs * docs: improve CONTRIBUTING.md * expect failure * expect failure unit * cleanup * fix: correct binding in integration tests * fix: correct binding in integration tests --------- Co-authored-by: Stefan Benz <stefan@caos.ch>
2024-02-19 06:50:37 +00:00
func CheckPost(url string, values url.Values) (*url.URL, error) {
client := &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
resp, err := client.PostForm(url, values)
if err != nil {
return nil, err
}
defer resp.Body.Close()
return resp.Location()
}
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 09:26:14 +00:00
func CheckRedirect(req *http.Request) (*url.URL, error) {
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
client := &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
resp, err := client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
test: no location header in response (#8441) # Which Problems Are Solved Sometimes integrations tests are failing with an error `http: no location header in response`. The underlying cause was hidden, as in some tests we assumed a 3xx range response but got a 4xx response instead. No assertion on the status code was made, resulting in the above error message on calling `resp.Location()`. The underlying issue, the application not found in the projection, is also fixed. # How the Problems Are Solved This change adds a check for the status code and returns the response body if the response is not in the 3xx status code range. Helper function that create applications now do an additional `GetAppByID` in a retry loop to ensure consitency in the projection before proceeding with tests. # Additional Changes - none # Additional Context - Pipline failures were observed, no issue was created - Cherry-picked form WIP #8407 Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-08-17 14:48:06 +00:00
if resp.StatusCode < 300 || resp.StatusCode >= 400 {
body, _ := io.ReadAll(resp.Body)
return nil, fmt.Errorf("check redirect unexpected status: %q; body: %q", resp.Status, body)
}
feat(api): add OIDC session service (#6157) This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-07-10 13:27:00 +00:00
return resp.Location()
}
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) # Which Problems Are Solved After deployment of 2.53.x, customers noted that the roles claims where always present in the tokens even if the corresponding option on the client (accessTokenRoleAssertion, idTokenRoleAsseriton) was disabled. Only the project flag (assertRolesOnAuthentication) would be considered. Further it was noted, that the action on the preAccessTokenCreation trigger would not be executed. Additionally, while testing those issues we found out, that the user information (name, givenname, family name, ...) where always present in the id_token even if the option (idTokenUserInfo) was not enabled. # How the Problems Are Solved - The `getUserinfoOnce` which was used for access and id_tokens is refactored to `getUserInfo` and no longer only queries the info once from the database, but still provides a mechanism to be reused for access and id_token where the corresponding `roleAssertion` and action `triggerType` can be passed. - `userInfo` on the other hand now directly makes sure the information is only queried once from the database. Role claims are asserted every time and action triggers are executed on every call. - `userInfo` now also checks if the profile information need to be returned. # Additional Changes None. # Additional Context - relates to #7822 - reported by customers
2024-05-31 10:10:18 +00:00
func (s *Tester) CreateOIDCCredentialsClient(ctx context.Context) (machine *management.AddMachineUserResponse, name, clientID, clientSecret string, err error) {
name = gofakeit.Username()
machine, err = s.Client.Mgmt.AddMachineUser(ctx, &management.AddMachineUserRequest{
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
Name: name,
UserName: name,
AccessTokenType: user.AccessTokenType_ACCESS_TOKEN_TYPE_JWT,
})
if err != nil {
fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) # Which Problems Are Solved After deployment of 2.53.x, customers noted that the roles claims where always present in the tokens even if the corresponding option on the client (accessTokenRoleAssertion, idTokenRoleAsseriton) was disabled. Only the project flag (assertRolesOnAuthentication) would be considered. Further it was noted, that the action on the preAccessTokenCreation trigger would not be executed. Additionally, while testing those issues we found out, that the user information (name, givenname, family name, ...) where always present in the id_token even if the option (idTokenUserInfo) was not enabled. # How the Problems Are Solved - The `getUserinfoOnce` which was used for access and id_tokens is refactored to `getUserInfo` and no longer only queries the info once from the database, but still provides a mechanism to be reused for access and id_token where the corresponding `roleAssertion` and action `triggerType` can be passed. - `userInfo` on the other hand now directly makes sure the information is only queried once from the database. Role claims are asserted every time and action triggers are executed on every call. - `userInfo` now also checks if the profile information need to be returned. # Additional Changes None. # Additional Context - relates to #7822 - reported by customers
2024-05-31 10:10:18 +00:00
return nil, "", "", "", err
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
}
secret, err := s.Client.Mgmt.GenerateMachineSecret(ctx, &management.GenerateMachineSecretRequest{
fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) # Which Problems Are Solved After deployment of 2.53.x, customers noted that the roles claims where always present in the tokens even if the corresponding option on the client (accessTokenRoleAssertion, idTokenRoleAsseriton) was disabled. Only the project flag (assertRolesOnAuthentication) would be considered. Further it was noted, that the action on the preAccessTokenCreation trigger would not be executed. Additionally, while testing those issues we found out, that the user information (name, givenname, family name, ...) where always present in the id_token even if the option (idTokenUserInfo) was not enabled. # How the Problems Are Solved - The `getUserinfoOnce` which was used for access and id_tokens is refactored to `getUserInfo` and no longer only queries the info once from the database, but still provides a mechanism to be reused for access and id_token where the corresponding `roleAssertion` and action `triggerType` can be passed. - `userInfo` on the other hand now directly makes sure the information is only queried once from the database. Role claims are asserted every time and action triggers are executed on every call. - `userInfo` now also checks if the profile information need to be returned. # Additional Changes None. # Additional Context - relates to #7822 - reported by customers
2024-05-31 10:10:18 +00:00
UserId: machine.GetUserId(),
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
})
if err != nil {
fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) # Which Problems Are Solved After deployment of 2.53.x, customers noted that the roles claims where always present in the tokens even if the corresponding option on the client (accessTokenRoleAssertion, idTokenRoleAsseriton) was disabled. Only the project flag (assertRolesOnAuthentication) would be considered. Further it was noted, that the action on the preAccessTokenCreation trigger would not be executed. Additionally, while testing those issues we found out, that the user information (name, givenname, family name, ...) where always present in the id_token even if the option (idTokenUserInfo) was not enabled. # How the Problems Are Solved - The `getUserinfoOnce` which was used for access and id_tokens is refactored to `getUserInfo` and no longer only queries the info once from the database, but still provides a mechanism to be reused for access and id_token where the corresponding `roleAssertion` and action `triggerType` can be passed. - `userInfo` on the other hand now directly makes sure the information is only queried once from the database. Role claims are asserted every time and action triggers are executed on every call. - `userInfo` now also checks if the profile information need to be returned. # Additional Changes None. # Additional Context - relates to #7822 - reported by customers
2024-05-31 10:10:18 +00:00
return nil, "", "", "", err
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
}
fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) # Which Problems Are Solved After deployment of 2.53.x, customers noted that the roles claims where always present in the tokens even if the corresponding option on the client (accessTokenRoleAssertion, idTokenRoleAsseriton) was disabled. Only the project flag (assertRolesOnAuthentication) would be considered. Further it was noted, that the action on the preAccessTokenCreation trigger would not be executed. Additionally, while testing those issues we found out, that the user information (name, givenname, family name, ...) where always present in the id_token even if the option (idTokenUserInfo) was not enabled. # How the Problems Are Solved - The `getUserinfoOnce` which was used for access and id_tokens is refactored to `getUserInfo` and no longer only queries the info once from the database, but still provides a mechanism to be reused for access and id_token where the corresponding `roleAssertion` and action `triggerType` can be passed. - `userInfo` on the other hand now directly makes sure the information is only queried once from the database. Role claims are asserted every time and action triggers are executed on every call. - `userInfo` now also checks if the profile information need to be returned. # Additional Changes None. # Additional Context - relates to #7822 - reported by customers
2024-05-31 10:10:18 +00:00
return machine, name, secret.GetClientId(), secret.GetClientSecret(), nil
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2023-12-05 17:01:03 +00:00
}
perf(oidc): optimize token creation (#7822) * implement code exchange * port tokenexchange to v2 tokens * implement refresh token * implement client credentials * implement jwt profile * implement device token * cleanup unused code * fix current unit tests * add user agent unit test * unit test domain package * need refresh token as argument * test commands create oidc session * test commands device auth * fix device auth build error * implicit for oidc session API * implement authorize callback handler for legacy implicit mode * upgrade oidc module to working draft * add missing auth methods and time * handle all errors in defer * do not fail auth request on error the oauth2 Go client automagically retries on any error. If we fail the auth request on the first error, the next attempt will always fail with the Errors.AuthRequest.NoCode, because the auth request state is already set to failed. The original error is then already lost and the oauth2 library does not return the original error. Therefore we should not fail the auth request. Might be worth discussing and perhaps send a bug report to Oauth2? * fix code flow tests by explicitly setting code exchanged * fix unit tests in command package * return allowed scope from client credential client * add device auth done reducer * carry nonce thru session into ID token * fix token exchange integration tests * allow project role scope prefix in client credentials client * gci formatting * do not return refresh token in client credentials and jwt profile * check org scope * solve linting issue on authorize callback error * end session based on v2 session ID * use preferred language and user agent ID for v2 access tokens * pin oidc v3.23.2 * add integration test for jwt profile and client credentials with org scopes * refresh token v1 to v2 * add user token v2 audit event * add activity trigger * cleanup and set panics for unused methods * use the encrypted code for v1 auth request get by code * add missing event translation * fix pipeline errors (hopefully) * fix another test * revert pointer usage of preferred language * solve browser info panic in device auth * remove duplicate entries in AMRToAuthMethodTypes to prevent future `mfa` claim * revoke v1 refresh token to prevent reuse * fix terminate oidc session * always return a new refresh toke in refresh token grant --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-05-16 05:07:56 +00:00
fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) # Which Problems Are Solved After deployment of 2.53.x, customers noted that the roles claims where always present in the tokens even if the corresponding option on the client (accessTokenRoleAssertion, idTokenRoleAsseriton) was disabled. Only the project flag (assertRolesOnAuthentication) would be considered. Further it was noted, that the action on the preAccessTokenCreation trigger would not be executed. Additionally, while testing those issues we found out, that the user information (name, givenname, family name, ...) where always present in the id_token even if the option (idTokenUserInfo) was not enabled. # How the Problems Are Solved - The `getUserinfoOnce` which was used for access and id_tokens is refactored to `getUserInfo` and no longer only queries the info once from the database, but still provides a mechanism to be reused for access and id_token where the corresponding `roleAssertion` and action `triggerType` can be passed. - `userInfo` on the other hand now directly makes sure the information is only queried once from the database. Role claims are asserted every time and action triggers are executed on every call. - `userInfo` now also checks if the profile information need to be returned. # Additional Changes None. # Additional Context - relates to #7822 - reported by customers
2024-05-31 10:10:18 +00:00
func (s *Tester) CreateOIDCJWTProfileClient(ctx context.Context) (machine *management.AddMachineUserResponse, name string, keyData []byte, err error) {
name = gofakeit.Username()
machine, err = s.Client.Mgmt.AddMachineUser(ctx, &management.AddMachineUserRequest{
perf(oidc): optimize token creation (#7822) * implement code exchange * port tokenexchange to v2 tokens * implement refresh token * implement client credentials * implement jwt profile * implement device token * cleanup unused code * fix current unit tests * add user agent unit test * unit test domain package * need refresh token as argument * test commands create oidc session * test commands device auth * fix device auth build error * implicit for oidc session API * implement authorize callback handler for legacy implicit mode * upgrade oidc module to working draft * add missing auth methods and time * handle all errors in defer * do not fail auth request on error the oauth2 Go client automagically retries on any error. If we fail the auth request on the first error, the next attempt will always fail with the Errors.AuthRequest.NoCode, because the auth request state is already set to failed. The original error is then already lost and the oauth2 library does not return the original error. Therefore we should not fail the auth request. Might be worth discussing and perhaps send a bug report to Oauth2? * fix code flow tests by explicitly setting code exchanged * fix unit tests in command package * return allowed scope from client credential client * add device auth done reducer * carry nonce thru session into ID token * fix token exchange integration tests * allow project role scope prefix in client credentials client * gci formatting * do not return refresh token in client credentials and jwt profile * check org scope * solve linting issue on authorize callback error * end session based on v2 session ID * use preferred language and user agent ID for v2 access tokens * pin oidc v3.23.2 * add integration test for jwt profile and client credentials with org scopes * refresh token v1 to v2 * add user token v2 audit event * add activity trigger * cleanup and set panics for unused methods * use the encrypted code for v1 auth request get by code * add missing event translation * fix pipeline errors (hopefully) * fix another test * revert pointer usage of preferred language * solve browser info panic in device auth * remove duplicate entries in AMRToAuthMethodTypes to prevent future `mfa` claim * revoke v1 refresh token to prevent reuse * fix terminate oidc session * always return a new refresh toke in refresh token grant --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-05-16 05:07:56 +00:00
Name: name,
UserName: name,
AccessTokenType: user.AccessTokenType_ACCESS_TOKEN_TYPE_JWT,
})
if err != nil {
fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) # Which Problems Are Solved After deployment of 2.53.x, customers noted that the roles claims where always present in the tokens even if the corresponding option on the client (accessTokenRoleAssertion, idTokenRoleAsseriton) was disabled. Only the project flag (assertRolesOnAuthentication) would be considered. Further it was noted, that the action on the preAccessTokenCreation trigger would not be executed. Additionally, while testing those issues we found out, that the user information (name, givenname, family name, ...) where always present in the id_token even if the option (idTokenUserInfo) was not enabled. # How the Problems Are Solved - The `getUserinfoOnce` which was used for access and id_tokens is refactored to `getUserInfo` and no longer only queries the info once from the database, but still provides a mechanism to be reused for access and id_token where the corresponding `roleAssertion` and action `triggerType` can be passed. - `userInfo` on the other hand now directly makes sure the information is only queried once from the database. Role claims are asserted every time and action triggers are executed on every call. - `userInfo` now also checks if the profile information need to be returned. # Additional Changes None. # Additional Context - relates to #7822 - reported by customers
2024-05-31 10:10:18 +00:00
return nil, "", nil, err
perf(oidc): optimize token creation (#7822) * implement code exchange * port tokenexchange to v2 tokens * implement refresh token * implement client credentials * implement jwt profile * implement device token * cleanup unused code * fix current unit tests * add user agent unit test * unit test domain package * need refresh token as argument * test commands create oidc session * test commands device auth * fix device auth build error * implicit for oidc session API * implement authorize callback handler for legacy implicit mode * upgrade oidc module to working draft * add missing auth methods and time * handle all errors in defer * do not fail auth request on error the oauth2 Go client automagically retries on any error. If we fail the auth request on the first error, the next attempt will always fail with the Errors.AuthRequest.NoCode, because the auth request state is already set to failed. The original error is then already lost and the oauth2 library does not return the original error. Therefore we should not fail the auth request. Might be worth discussing and perhaps send a bug report to Oauth2? * fix code flow tests by explicitly setting code exchanged * fix unit tests in command package * return allowed scope from client credential client * add device auth done reducer * carry nonce thru session into ID token * fix token exchange integration tests * allow project role scope prefix in client credentials client * gci formatting * do not return refresh token in client credentials and jwt profile * check org scope * solve linting issue on authorize callback error * end session based on v2 session ID * use preferred language and user agent ID for v2 access tokens * pin oidc v3.23.2 * add integration test for jwt profile and client credentials with org scopes * refresh token v1 to v2 * add user token v2 audit event * add activity trigger * cleanup and set panics for unused methods * use the encrypted code for v1 auth request get by code * add missing event translation * fix pipeline errors (hopefully) * fix another test * revert pointer usage of preferred language * solve browser info panic in device auth * remove duplicate entries in AMRToAuthMethodTypes to prevent future `mfa` claim * revoke v1 refresh token to prevent reuse * fix terminate oidc session * always return a new refresh toke in refresh token grant --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-05-16 05:07:56 +00:00
}
keyResp, err := s.Client.Mgmt.AddMachineKey(ctx, &management.AddMachineKeyRequest{
fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) # Which Problems Are Solved After deployment of 2.53.x, customers noted that the roles claims where always present in the tokens even if the corresponding option on the client (accessTokenRoleAssertion, idTokenRoleAsseriton) was disabled. Only the project flag (assertRolesOnAuthentication) would be considered. Further it was noted, that the action on the preAccessTokenCreation trigger would not be executed. Additionally, while testing those issues we found out, that the user information (name, givenname, family name, ...) where always present in the id_token even if the option (idTokenUserInfo) was not enabled. # How the Problems Are Solved - The `getUserinfoOnce` which was used for access and id_tokens is refactored to `getUserInfo` and no longer only queries the info once from the database, but still provides a mechanism to be reused for access and id_token where the corresponding `roleAssertion` and action `triggerType` can be passed. - `userInfo` on the other hand now directly makes sure the information is only queried once from the database. Role claims are asserted every time and action triggers are executed on every call. - `userInfo` now also checks if the profile information need to be returned. # Additional Changes None. # Additional Context - relates to #7822 - reported by customers
2024-05-31 10:10:18 +00:00
UserId: machine.GetUserId(),
perf(oidc): optimize token creation (#7822) * implement code exchange * port tokenexchange to v2 tokens * implement refresh token * implement client credentials * implement jwt profile * implement device token * cleanup unused code * fix current unit tests * add user agent unit test * unit test domain package * need refresh token as argument * test commands create oidc session * test commands device auth * fix device auth build error * implicit for oidc session API * implement authorize callback handler for legacy implicit mode * upgrade oidc module to working draft * add missing auth methods and time * handle all errors in defer * do not fail auth request on error the oauth2 Go client automagically retries on any error. If we fail the auth request on the first error, the next attempt will always fail with the Errors.AuthRequest.NoCode, because the auth request state is already set to failed. The original error is then already lost and the oauth2 library does not return the original error. Therefore we should not fail the auth request. Might be worth discussing and perhaps send a bug report to Oauth2? * fix code flow tests by explicitly setting code exchanged * fix unit tests in command package * return allowed scope from client credential client * add device auth done reducer * carry nonce thru session into ID token * fix token exchange integration tests * allow project role scope prefix in client credentials client * gci formatting * do not return refresh token in client credentials and jwt profile * check org scope * solve linting issue on authorize callback error * end session based on v2 session ID * use preferred language and user agent ID for v2 access tokens * pin oidc v3.23.2 * add integration test for jwt profile and client credentials with org scopes * refresh token v1 to v2 * add user token v2 audit event * add activity trigger * cleanup and set panics for unused methods * use the encrypted code for v1 auth request get by code * add missing event translation * fix pipeline errors (hopefully) * fix another test * revert pointer usage of preferred language * solve browser info panic in device auth * remove duplicate entries in AMRToAuthMethodTypes to prevent future `mfa` claim * revoke v1 refresh token to prevent reuse * fix terminate oidc session * always return a new refresh toke in refresh token grant --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-05-16 05:07:56 +00:00
Type: authn.KeyType_KEY_TYPE_JSON,
ExpirationDate: timestamppb.New(time.Now().Add(time.Hour)),
})
if err != nil {
fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) # Which Problems Are Solved After deployment of 2.53.x, customers noted that the roles claims where always present in the tokens even if the corresponding option on the client (accessTokenRoleAssertion, idTokenRoleAsseriton) was disabled. Only the project flag (assertRolesOnAuthentication) would be considered. Further it was noted, that the action on the preAccessTokenCreation trigger would not be executed. Additionally, while testing those issues we found out, that the user information (name, givenname, family name, ...) where always present in the id_token even if the option (idTokenUserInfo) was not enabled. # How the Problems Are Solved - The `getUserinfoOnce` which was used for access and id_tokens is refactored to `getUserInfo` and no longer only queries the info once from the database, but still provides a mechanism to be reused for access and id_token where the corresponding `roleAssertion` and action `triggerType` can be passed. - `userInfo` on the other hand now directly makes sure the information is only queried once from the database. Role claims are asserted every time and action triggers are executed on every call. - `userInfo` now also checks if the profile information need to be returned. # Additional Changes None. # Additional Context - relates to #7822 - reported by customers
2024-05-31 10:10:18 +00:00
return nil, "", nil, err
perf(oidc): optimize token creation (#7822) * implement code exchange * port tokenexchange to v2 tokens * implement refresh token * implement client credentials * implement jwt profile * implement device token * cleanup unused code * fix current unit tests * add user agent unit test * unit test domain package * need refresh token as argument * test commands create oidc session * test commands device auth * fix device auth build error * implicit for oidc session API * implement authorize callback handler for legacy implicit mode * upgrade oidc module to working draft * add missing auth methods and time * handle all errors in defer * do not fail auth request on error the oauth2 Go client automagically retries on any error. If we fail the auth request on the first error, the next attempt will always fail with the Errors.AuthRequest.NoCode, because the auth request state is already set to failed. The original error is then already lost and the oauth2 library does not return the original error. Therefore we should not fail the auth request. Might be worth discussing and perhaps send a bug report to Oauth2? * fix code flow tests by explicitly setting code exchanged * fix unit tests in command package * return allowed scope from client credential client * add device auth done reducer * carry nonce thru session into ID token * fix token exchange integration tests * allow project role scope prefix in client credentials client * gci formatting * do not return refresh token in client credentials and jwt profile * check org scope * solve linting issue on authorize callback error * end session based on v2 session ID * use preferred language and user agent ID for v2 access tokens * pin oidc v3.23.2 * add integration test for jwt profile and client credentials with org scopes * refresh token v1 to v2 * add user token v2 audit event * add activity trigger * cleanup and set panics for unused methods * use the encrypted code for v1 auth request get by code * add missing event translation * fix pipeline errors (hopefully) * fix another test * revert pointer usage of preferred language * solve browser info panic in device auth * remove duplicate entries in AMRToAuthMethodTypes to prevent future `mfa` claim * revoke v1 refresh token to prevent reuse * fix terminate oidc session * always return a new refresh toke in refresh token grant --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-05-16 05:07:56 +00:00
}
fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) # Which Problems Are Solved After deployment of 2.53.x, customers noted that the roles claims where always present in the tokens even if the corresponding option on the client (accessTokenRoleAssertion, idTokenRoleAsseriton) was disabled. Only the project flag (assertRolesOnAuthentication) would be considered. Further it was noted, that the action on the preAccessTokenCreation trigger would not be executed. Additionally, while testing those issues we found out, that the user information (name, givenname, family name, ...) where always present in the id_token even if the option (idTokenUserInfo) was not enabled. # How the Problems Are Solved - The `getUserinfoOnce` which was used for access and id_tokens is refactored to `getUserInfo` and no longer only queries the info once from the database, but still provides a mechanism to be reused for access and id_token where the corresponding `roleAssertion` and action `triggerType` can be passed. - `userInfo` on the other hand now directly makes sure the information is only queried once from the database. Role claims are asserted every time and action triggers are executed on every call. - `userInfo` now also checks if the profile information need to be returned. # Additional Changes None. # Additional Context - relates to #7822 - reported by customers
2024-05-31 10:10:18 +00:00
return machine, name, keyResp.GetKeyDetails(), nil
perf(oidc): optimize token creation (#7822) * implement code exchange * port tokenexchange to v2 tokens * implement refresh token * implement client credentials * implement jwt profile * implement device token * cleanup unused code * fix current unit tests * add user agent unit test * unit test domain package * need refresh token as argument * test commands create oidc session * test commands device auth * fix device auth build error * implicit for oidc session API * implement authorize callback handler for legacy implicit mode * upgrade oidc module to working draft * add missing auth methods and time * handle all errors in defer * do not fail auth request on error the oauth2 Go client automagically retries on any error. If we fail the auth request on the first error, the next attempt will always fail with the Errors.AuthRequest.NoCode, because the auth request state is already set to failed. The original error is then already lost and the oauth2 library does not return the original error. Therefore we should not fail the auth request. Might be worth discussing and perhaps send a bug report to Oauth2? * fix code flow tests by explicitly setting code exchanged * fix unit tests in command package * return allowed scope from client credential client * add device auth done reducer * carry nonce thru session into ID token * fix token exchange integration tests * allow project role scope prefix in client credentials client * gci formatting * do not return refresh token in client credentials and jwt profile * check org scope * solve linting issue on authorize callback error * end session based on v2 session ID * use preferred language and user agent ID for v2 access tokens * pin oidc v3.23.2 * add integration test for jwt profile and client credentials with org scopes * refresh token v1 to v2 * add user token v2 audit event * add activity trigger * cleanup and set panics for unused methods * use the encrypted code for v1 auth request get by code * add missing event translation * fix pipeline errors (hopefully) * fix another test * revert pointer usage of preferred language * solve browser info panic in device auth * remove duplicate entries in AMRToAuthMethodTypes to prevent future `mfa` claim * revoke v1 refresh token to prevent reuse * fix terminate oidc session * always return a new refresh toke in refresh token grant --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-05-16 05:07:56 +00:00
}
Reference in New Issue Copy Permalink