diff --git a/go.mod b/go.mod index 8a1d1c0e1a..52700f8fc0 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/go-ldap/ldap/v3 v3.4.4 github.com/golang/glog v1.0.0 github.com/golang/mock v1.6.0 - github.com/golang/protobuf v1.5.2 + github.com/golang/protobuf v1.5.3 github.com/gorilla/csrf v1.7.1 github.com/gorilla/mux v1.8.0 github.com/gorilla/schema v1.2.0 @@ -57,7 +57,7 @@ require ( github.com/superseriousbusiness/exifremove v0.0.0-20210330092427-6acd27eac203 github.com/ttacon/libphonenumber v1.2.1 github.com/zitadel/logging v0.3.4 - github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.9 + github.com/zitadel/oidc/v2 v2.2.1 github.com/zitadel/saml v0.0.10 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.27.0 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.27.0 @@ -70,16 +70,16 @@ require ( go.opentelemetry.io/otel/sdk/export/metric v0.25.0 go.opentelemetry.io/otel/sdk/metric v0.25.0 go.opentelemetry.io/otel/trace v1.11.2 - golang.org/x/crypto v0.6.0 - golang.org/x/net v0.7.0 - golang.org/x/oauth2 v0.5.0 + golang.org/x/crypto v0.7.0 + golang.org/x/net v0.8.0 + golang.org/x/oauth2 v0.6.0 golang.org/x/sync v0.1.0 - golang.org/x/text v0.7.0 + golang.org/x/text v0.8.0 golang.org/x/tools v0.6.0 google.golang.org/api v0.110.0 google.golang.org/genproto v0.0.0-20230221151758-ace64dc21148 google.golang.org/grpc v1.53.0 - google.golang.org/protobuf v1.28.1 + google.golang.org/protobuf v1.29.1 gopkg.in/square/go-jose.v2 v2.6.0 sigs.k8s.io/yaml v1.3.0 ) @@ -90,6 +90,7 @@ require ( github.com/go-logr/logr v1.2.3 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/klauspost/cpuid/v2 v2.2.3 // indirect + github.com/muhlemmer/gu v0.3.1 // indirect github.com/pelletier/go-toml/v2 v2.0.6 // indirect go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.8.0 // indirect @@ -192,7 +193,7 @@ require ( go.opentelemetry.io/otel/internal/metric v0.25.0 // indirect go.opentelemetry.io/proto/otlp v0.15.0 // indirect golang.org/x/mod v0.8.0 // indirect - golang.org/x/sys v0.5.0 // indirect + golang.org/x/sys v0.6.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/appengine v1.6.7 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index 30b15fcc10..e75d6be6e1 100644 --- a/go.sum +++ b/go.sum @@ -34,7 +34,6 @@ cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4g cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/compute v1.18.0 h1:FEigFqoDbys2cvFkZ9Fjq4gnHBP55anJ0yQyau2f9oY= cloud.google.com/go/compute v1.18.0/go.mod h1:1X7yHxec2Ga+Ss6jPyjxRxpu2uu7PLgsOVXvgU0yacs= -cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= @@ -463,8 +462,9 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= -github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= @@ -488,11 +488,9 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM= -github.com/google/go-github/v31 v31.0.0/go.mod h1:NQPZol8/1sMoWYGN2yaALIBytu17gAWfhbweiEed3pM= github.com/google/go-licenses v0.0.0-20210329231322-ce1d9163b77d/go.mod h1:+TYOmkVoJOpwnS0wfdsJCV9CoD5nJYsHoFk/0CrTK4M= github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/go-replayers/grpcreplay v0.1.0/go.mod h1:8Ig2Idjpr6gifRd6pNVggX6TC1Zw6Jx74AKp7QNH2QE= @@ -690,6 +688,7 @@ github.com/jarcoal/httpmock v1.0.5/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT github.com/jarcoal/jpath v0.0.0-20140328210829-f76b8b2dbf52 h1:jny9eqYPwkG8IVy7foUoRjQmFLcArCSz+uPsL6KS0HQ= github.com/jarcoal/jpath v0.0.0-20140328210829-f76b8b2dbf52/go.mod h1:RDZ+4PR3mDOtTpVbI0qBE+rdhmtIrtbssiNn38/1OWA= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= +github.com/jeremija/gosubmit v0.2.7 h1:At0OhGCFGPXyjPYAsCchoBUhE099pcBXmsb4iZqROIc= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jhump/protoreflect v1.6.1/go.mod h1:RZQ/lnuN+zqeRVpQigTwO6o0AJUkxbnSnpuG7toUTG4= github.com/jhump/protoreflect v1.8.2/go.mod h1:7GcYQDdMU/O/BBrl/cX6PNHpXh6cenjd8pneu5yW7Tg= @@ -863,6 +862,8 @@ github.com/muesli/gamut v0.3.1 h1:8hozovcrDBWLLAwuOXC+UDyO0/uNroIdXAmY/lQOMHo= github.com/muesli/gamut v0.3.1/go.mod h1:BED0DN21PXU1YaYNwaTmX9700SRHPcWWd6Llj0zsz5k= github.com/muesli/kmeans v0.3.1 h1:KshLQ8wAETfLWOJKMuDCVYHnafddSa1kwGh/IypGIzY= github.com/muesli/kmeans v0.3.1/go.mod h1:8/OvJW7cHc1BpRf8URb43m+vR105DDe+Kj1WcFXYDqc= +github.com/muhlemmer/gu v0.3.1 h1:7EAqmFrW7n3hETvuAdmFmn4hS8W+z3LgKtrnow+YzNM= +github.com/muhlemmer/gu v0.3.1/go.mod h1:YHtHR+gxM+bKEIIs7Hmi9sPT3ZDUvTN/i88wQpZkrdM= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= @@ -880,7 +881,6 @@ github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32 h1:W6apQkHrMkS0Muv8G/TipAy github.com/nbio/st v0.0.0-20140626010706-e9e8d9816f32/go.mod h1:9wM+0iRr9ahx58uYLpLIr5fm8diHn0JbqRycJi6w0Ms= github.com/nicksnyder/go-i18n/v2 v2.2.1 h1:aOzRCdwsJuoExfZhoiXHy4bjruwCMdt5otbYojM/PaA= github.com/nicksnyder/go-i18n/v2 v2.2.1/go.mod h1:fF2++lPHlo+/kPaj3nB0uxtPwzlPm+BlgwGX7MkeGj0= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nishanths/predeclared v0.0.0-20200524104333-86fad755b4d3/go.mod h1:nt3d53pc1VYcphSCIaYAJtnPYnr3Zyn8fMq2wvPGPso= github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= @@ -1141,8 +1141,8 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= github.com/zitadel/logging v0.3.4 h1:9hZsTjMMTE3X2LUi0xcF9Q9EdLo+FAezeu52ireBbHM= github.com/zitadel/logging v0.3.4/go.mod h1:aPpLQhE+v6ocNK0TWrBrd363hZ95KcI17Q1ixAQwZF0= -github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.9 h1:P7xbgv2501rsW8E0Uj804LMBrabVuZYcstqoFVmgWjA= -github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.9/go.mod h1:2jHMP6o/WK0EmcNJkz+FSpjeqcCuQG9YqqqzKZkfgIE= +github.com/zitadel/oidc/v2 v2.2.1 h1:3uaN7ERsP031MZqhqUNVyLlGB7seel/YJ0CUryjIGSQ= +github.com/zitadel/oidc/v2 v2.2.1/go.mod h1:tGkj9lQk6KVj5hsM89XPadvi6I06666sMy3KtykvSFM= github.com/zitadel/saml v0.0.10 h1:cyKd78Vat9vz55S74lggJrXMSqbAPsnJDrPFTPScNYY= github.com/zitadel/saml v0.0.10/go.mod h1:Hze1/zRN9j1uh7U+89vweP/OwLNO8BLHg3zU1Jtycdg= github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0= @@ -1257,8 +1257,9 @@ golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220517005047-85d78b3ac167/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220824171710-5757bc0c5503/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= +golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A= +golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1358,11 +1359,10 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= -golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1381,9 +1381,8 @@ golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk= -golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= -golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= +golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw= +golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1480,8 +1479,9 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -1498,8 +1498,9 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1726,14 +1727,12 @@ google.golang.org/protobuf v1.25.1-0.20200805231151-a709e31e5d12/go.mod h1:9JNX7 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= -google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.29.1 h1:7QBf+IK2gx70Ap/hDsOmam3GE0v9HicjfEdAxE62UoM= +google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= diff --git a/internal/api/authz/token.go b/internal/api/authz/token.go index f225489626..a7ea46a685 100644 --- a/internal/api/authz/token.go +++ b/internal/api/authz/token.go @@ -92,7 +92,7 @@ func (s *SystemAPIUser) readKey() (*rsa.PublicKey, error) { return crypto.BytesToPublicKey(s.KeyData) } -func (s *systemJWTStorage) GetKeyByIDAndUserID(_ context.Context, _, userID string) (*jose.JSONWebKey, error) { +func (s *systemJWTStorage) GetKeyByIDAndClientID(_ context.Context, _, userID string) (*jose.JSONWebKey, error) { cachedKey, ok := s.cachedKeys[userID] if ok { return &jose.JSONWebKey{KeyID: userID, Key: cachedKey}, nil diff --git a/internal/api/oidc/auth_request.go b/internal/api/oidc/auth_request.go index ba719229da..de39871b96 100644 --- a/internal/api/oidc/auth_request.go +++ b/internal/api/oidc/auth_request.go @@ -143,7 +143,7 @@ func getInfoFromRequest(req op.TokenRequest) (string, string, string, time.Time, } func (o *OPStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (op.RefreshTokenRequest, error) { - tokenView, err := o.repo.RefreshTokenByID(ctx, refreshToken) + tokenView, err := o.repo.RefreshTokenByToken(ctx, refreshToken) if err != nil { return nil, err } @@ -175,7 +175,7 @@ func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID strin } func (o *OPStorage) RevokeToken(ctx context.Context, token, userID, clientID string) *oidc.Error { - refreshToken, err := o.repo.RefreshTokenByID(ctx, token) + refreshToken, err := o.repo.RefreshTokenByID(ctx, token, userID) if err == nil { if refreshToken.ClientID != clientID { return oidc.ErrInvalidClient().WithDescription("token was not issued for this client") @@ -203,6 +203,17 @@ func (o *OPStorage) RevokeToken(ctx context.Context, token, userID, clientID str return oidc.ErrServerError().WithParent(err) } +func (o *OPStorage) GetRefreshTokenInfo(ctx context.Context, clientID string, token string) (userID string, tokenID string, err error) { + refreshToken, err := o.repo.RefreshTokenByToken(ctx, token) + if err != nil { + return "", "", op.ErrInvalidRefreshToken + } + if refreshToken.ClientID != clientID { + return "", "", oidc.ErrInvalidClient().WithDescription("token was not issued for this client") + } + return refreshToken.UserID, refreshToken.ID, nil +} + func (o *OPStorage) assertProjectRoleScopes(ctx context.Context, clientID string, scopes []string) ([]string, error) { for _, scope := range scopes { if strings.HasPrefix(scope, ScopeProjectRolePrefix) { diff --git a/internal/api/oidc/client.go b/internal/api/oidc/client.go index 1412d40fab..be48a2b005 100644 --- a/internal/api/oidc/client.go +++ b/internal/api/oidc/client.go @@ -67,7 +67,7 @@ func (o *OPStorage) GetClientByClientID(ctx context.Context, id string) (_ op.Cl return ClientFromBusiness(client, o.defaultLoginURL, accessTokenLifetime, idTokenLifetime, allowedScopes) } -func (o *OPStorage) GetKeyByIDAndUserID(ctx context.Context, keyID, userID string) (_ *jose.JSONWebKey, err error) { +func (o *OPStorage) GetKeyByIDAndClientID(ctx context.Context, keyID, userID string) (_ *jose.JSONWebKey, err error) { return o.GetKeyByIDAndIssuer(ctx, keyID, userID) } @@ -114,7 +114,7 @@ func (o *OPStorage) AuthorizeClientIDSecret(ctx context.Context, id string, secr return o.command.VerifyAPIClientSecret(ctx, app.ProjectID, app.ID, secret) } -func (o *OPStorage) SetUserinfoFromToken(ctx context.Context, userInfo oidc.UserInfoSetter, tokenID, subject, origin string) (err error) { +func (o *OPStorage) SetUserinfoFromToken(ctx context.Context, userInfo *oidc.UserInfo, tokenID, subject, origin string) (err error) { ctx, span := tracing.NewSpan(ctx) defer func() { span.EndWithError(err) }() token, err := o.repo.TokenByIDs(ctx, subject, tokenID) @@ -133,7 +133,7 @@ func (o *OPStorage) SetUserinfoFromToken(ctx context.Context, userInfo oidc.User return o.setUserinfo(ctx, userInfo, token.UserID, token.ApplicationID, token.Scopes) } -func (o *OPStorage) SetUserinfoFromScopes(ctx context.Context, userInfo oidc.UserInfoSetter, userID, applicationID string, scopes []string) (err error) { +func (o *OPStorage) SetUserinfoFromScopes(ctx context.Context, userInfo *oidc.UserInfo, userID, applicationID string, scopes []string) (err error) { ctx, span := tracing.NewSpan(ctx) defer func() { span.EndWithError(err) }() if applicationID != "" { @@ -151,7 +151,7 @@ func (o *OPStorage) SetUserinfoFromScopes(ctx context.Context, userInfo oidc.Use return o.setUserinfo(ctx, userInfo, userID, applicationID, scopes) } -func (o *OPStorage) SetIntrospectionFromToken(ctx context.Context, introspection oidc.IntrospectionResponse, tokenID, subject, clientID string) error { +func (o *OPStorage) SetIntrospectionFromToken(ctx context.Context, introspection *oidc.IntrospectionResponse, tokenID, subject, clientID string) error { token, err := o.repo.TokenByIDs(ctx, subject, tokenID) if err != nil { return errors.ThrowPermissionDenied(nil, "OIDC-Dsfb2", "token is not valid or has expired") @@ -168,19 +168,21 @@ func (o *OPStorage) SetIntrospectionFromToken(ctx context.Context, introspection } for _, aud := range token.Audience { if aud == clientID || aud == projectID { - err := o.setUserinfo(ctx, introspection, token.UserID, clientID, token.Scopes) + userInfo := new(oidc.UserInfo) + err := o.setUserinfo(ctx, userInfo, subject, clientID, token.Scopes) if err != nil { return err } - introspection.SetScopes(token.Scopes) - introspection.SetClientID(token.ApplicationID) - introspection.SetTokenType(oidc.BearerToken) - introspection.SetExpiration(token.Expiration) - introspection.SetIssuedAt(token.CreationDate) - introspection.SetNotBefore(token.CreationDate) - introspection.SetAudience(token.Audience) - introspection.SetIssuer(op.IssuerFromContext(ctx)) - introspection.SetJWTID(token.ID) + introspection.SetUserInfo(userInfo) + introspection.Scope = token.Scopes + introspection.ClientID = token.ApplicationID + introspection.TokenType = oidc.BearerToken + introspection.Expiration = oidc.FromTime(token.Expiration) + introspection.IssuedAt = oidc.FromTime(token.CreationDate) + introspection.NotBefore = oidc.FromTime(token.CreationDate) + introspection.Audience = token.Audience + introspection.Issuer = op.IssuerFromContext(ctx) + introspection.JWTID = token.ID return nil } } @@ -252,7 +254,7 @@ func (o *OPStorage) checkOrgScopes(ctx context.Context, user *query.User, scopes return scopes, nil } -func (o *OPStorage) setUserinfo(ctx context.Context, userInfo oidc.UserInfoSetter, userID, applicationID string, scopes []string) (err error) { +func (o *OPStorage) setUserinfo(ctx context.Context, userInfo *oidc.UserInfo, userID, applicationID string, scopes []string) (err error) { ctx, span := tracing.NewSpan(ctx) defer func() { span.EndWithError(err) }() user, err := o.query.GetUserByID(ctx, true, userID, false) @@ -263,50 +265,23 @@ func (o *OPStorage) setUserinfo(ctx context.Context, userInfo oidc.UserInfoSette for _, scope := range scopes { switch scope { case oidc.ScopeOpenID: - userInfo.SetSubject(user.ID) + userInfo.Subject = user.ID case oidc.ScopeEmail: - if user.Human == nil { - continue - } - userInfo.SetEmail(string(user.Human.Email), user.Human.IsEmailVerified) + setUserInfoEmail(userInfo, user) case oidc.ScopeProfile: - userInfo.SetPreferredUsername(user.PreferredLoginName) - userInfo.SetUpdatedAt(user.ChangeDate) - if user.Human != nil { - userInfo.SetName(user.Human.DisplayName) - userInfo.SetFamilyName(user.Human.LastName) - userInfo.SetGivenName(user.Human.FirstName) - userInfo.SetNickname(user.Human.NickName) - userInfo.SetGender(getGender(user.Human.Gender)) - userInfo.SetLocale(user.Human.PreferredLanguage) - userInfo.SetPicture(domain.AvatarURL(o.assetAPIPrefix(ctx), user.ResourceOwner, user.Human.AvatarKey)) - } else { - userInfo.SetName(user.Machine.Name) - } + o.setUserInfoProfile(ctx, userInfo, user) case oidc.ScopePhone: - if user.Human == nil { - continue - } - userInfo.SetPhone(string(user.Human.Phone), user.Human.IsPhoneVerified) + setUserInfoPhone(userInfo, user) case oidc.ScopeAddress: //TODO: handle address for human users as soon as implemented case ScopeUserMetaData: - userMetaData, err := o.assertUserMetaData(ctx, userID) - if err != nil { + if err := o.setUserInfoMetadata(ctx, userInfo, userID); err != nil { return err } - if len(userMetaData) > 0 { - userInfo.AppendClaims(ClaimUserMetaData, userMetaData) - } case ScopeResourceOwner: - resourceOwnerClaims, err := o.assertUserResourceOwner(ctx, userID) - if err != nil { + if err := o.setUserInfoResourceOwner(ctx, userInfo, userID); err != nil { return err } - for claim, value := range resourceOwnerClaims { - userInfo.AppendClaims(claim, value) - } - default: if strings.HasPrefix(scope, ScopeProjectRolePrefix) { roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix)) @@ -316,13 +291,9 @@ func (o *OPStorage) setUserinfo(ctx context.Context, userInfo oidc.UserInfoSette } if strings.HasPrefix(scope, domain.OrgIDScope) { userInfo.AppendClaims(domain.OrgIDClaim, strings.TrimPrefix(scope, domain.OrgIDScope)) - resourceOwnerClaims, err := o.assertUserResourceOwner(ctx, userID) - if err != nil { + if err := o.setUserInfoResourceOwner(ctx, userInfo, userID); err != nil { return err } - for claim, value := range resourceOwnerClaims { - userInfo.AppendClaims(claim, value) - } } } } @@ -339,7 +310,64 @@ func (o *OPStorage) setUserinfo(ctx context.Context, userInfo oidc.UserInfoSette return o.userinfoFlows(ctx, user.ResourceOwner, userGrants, userInfo) } -func (o *OPStorage) userinfoFlows(ctx context.Context, resourceOwner string, userGrants *query.UserGrants, userInfo oidc.UserInfoSetter) error { +func (o *OPStorage) setUserInfoProfile(ctx context.Context, userInfo *oidc.UserInfo, user *query.User) { + userInfo.PreferredUsername = user.PreferredLoginName + userInfo.UpdatedAt = oidc.FromTime(user.ChangeDate) + if user.Machine != nil { + userInfo.Name = user.Machine.Name + return + } + userInfo.Name = user.Human.DisplayName + userInfo.FamilyName = user.Human.LastName + userInfo.GivenName = user.Human.FirstName + userInfo.Nickname = user.Human.NickName + userInfo.Gender = getGender(user.Human.Gender) + userInfo.Locale = oidc.NewLocale(user.Human.PreferredLanguage) + userInfo.Picture = domain.AvatarURL(o.assetAPIPrefix(ctx), user.ResourceOwner, user.Human.AvatarKey) +} + +func setUserInfoEmail(userInfo *oidc.UserInfo, user *query.User) { + if user.Human == nil { + return + } + userInfo.UserInfoEmail = oidc.UserInfoEmail{ + Email: string(user.Human.Email), + EmailVerified: oidc.Bool(user.Human.IsEmailVerified)} +} + +func setUserInfoPhone(userInfo *oidc.UserInfo, user *query.User) { + if user.Human == nil { + return + } + userInfo.UserInfoPhone = oidc.UserInfoPhone{ + PhoneNumber: string(user.Human.Phone), + PhoneNumberVerified: user.Human.IsPhoneVerified, + } +} + +func (o *OPStorage) setUserInfoMetadata(ctx context.Context, userInfo *oidc.UserInfo, userID string) error { + userMetaData, err := o.assertUserMetaData(ctx, userID) + if err != nil { + return err + } + if len(userMetaData) > 0 { + userInfo.AppendClaims(ClaimUserMetaData, userMetaData) + } + return nil +} + +func (o *OPStorage) setUserInfoResourceOwner(ctx context.Context, userInfo *oidc.UserInfo, userID string) error { + resourceOwnerClaims, err := o.assertUserResourceOwner(ctx, userID) + if err != nil { + return err + } + for claim, value := range resourceOwnerClaims { + userInfo.AppendClaims(claim, value) + } + return nil +} + +func (o *OPStorage) userinfoFlows(ctx context.Context, resourceOwner string, userGrants *query.UserGrants, userInfo *oidc.UserInfo) error { queriedActions, err := o.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeCustomiseToken, domain.TriggerTypePreUserinfoCreation, resourceOwner, false) if err != nil { return err @@ -350,7 +378,7 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, resourceOwner string, use actions.SetFields("claims", userinfoClaims(userInfo)), actions.SetFields("getUser", func(c *actions.FieldConfig) interface{} { return func(call goja.FunctionCall) goja.Value { - user, err := o.query.GetUserByID(ctx, true, userInfo.GetSubject(), false) + user, err := o.query.GetUserByID(ctx, true, userInfo.Subject, false) if err != nil { panic(err) } @@ -368,7 +396,7 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, resourceOwner string, use metadata, err := o.query.SearchUserMetadata( ctx, true, - userInfo.GetSubject(), + userInfo.Subject, &query.UserMetadataSearchQueries{Queries: []query.SearchQuery{resourceOwnerQuery}}, false, ) @@ -394,7 +422,7 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, resourceOwner string, use actions.SetFields("v1", actions.SetFields("userinfo", actions.SetFields("setClaim", func(key string, value interface{}) { - if userInfo.GetClaim(key) == nil { + if userInfo.Claims[key] == nil { userInfo.AppendClaims(key, value) return } @@ -406,7 +434,7 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, resourceOwner string, use ), actions.SetFields("claims", actions.SetFields("setClaim", func(key string, value interface{}) { - if userInfo.GetClaim(key) == nil { + if userInfo.Claims[key] == nil { userInfo.AppendClaims(key, value) return } @@ -434,7 +462,7 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, resourceOwner string, use Key: key, Value: value, } - if _, err = o.command.SetUserMetadata(ctx, metadata, userInfo.GetSubject(), resourceOwner); err != nil { + if _, err = o.command.SetUserMetadata(ctx, metadata, userInfo.Subject, resourceOwner); err != nil { logging.WithError(err).Info("unable to set md in action") panic(err) } @@ -729,7 +757,7 @@ func appendClaim(claims map[string]interface{}, claim string, value interface{}) return claims } -func userinfoClaims(userInfo oidc.UserInfoSetter) func(c *actions.FieldConfig) interface{} { +func userinfoClaims(userInfo *oidc.UserInfo) func(c *actions.FieldConfig) interface{} { return func(c *actions.FieldConfig) interface{} { marshalled, err := json.Marshal(userInfo) if err != nil { diff --git a/internal/api/oidc/op.go b/internal/api/oidc/op.go index a5c4d0da38..c8d72a12ed 100644 --- a/internal/api/oidc/op.go +++ b/internal/api/oidc/op.go @@ -84,7 +84,6 @@ func NewProvider(ctx context.Context, config Config, defaultLogoutRedirectURI st return nil, caos_errs.ThrowInternal(err, "OIDC-D3gq1", "cannot create options: %w") } provider, err := op.NewDynamicOpenIDProvider( - ctx, "", opConfig, storage, diff --git a/internal/api/ui/login/custom_action.go b/internal/api/ui/login/custom_action.go index bf4f2342a3..9703913485 100644 --- a/internal/api/ui/login/custom_action.go +++ b/internal/api/ui/login/custom_action.go @@ -18,7 +18,7 @@ import ( func (l *Login) runPostExternalAuthenticationActions( user *domain.ExternalUser, - tokens *oidc.Tokens, + tokens *oidc.Tokens[*oidc.IDTokenClaims], authRequest *domain.AuthRequest, httpRequest *http.Request, idpUser idp.User, @@ -347,7 +347,7 @@ func (l *Login) runPostCreationActions( return object.UserGrantsToDomain(userID, mutableUserGrants.UserGrants), err } -func tokenCtxFields(tokens *oidc.Tokens) []actions.FieldOption { +func tokenCtxFields(tokens *oidc.Tokens[*oidc.IDTokenClaims]) []actions.FieldOption { var accessToken, idToken string getClaim := func(claim string) interface{} { return nil @@ -367,7 +367,7 @@ func tokenCtxFields(tokens *oidc.Tokens) []actions.FieldOption { idToken = tokens.IDToken if tokens.IDTokenClaims != nil { getClaim = func(claim string) interface{} { - return tokens.IDTokenClaims.GetClaim(claim) + return tokens.IDTokenClaims.Claims[claim] } claimsJSON = func() (string, error) { c, err := json.Marshal(tokens.IDTokenClaims) diff --git a/internal/api/ui/login/external_provider_handler.go b/internal/api/ui/login/external_provider_handler.go index cac82900ab..4920e9f4f2 100644 --- a/internal/api/ui/login/external_provider_handler.go +++ b/internal/api/ui/login/external_provider_handler.go @@ -837,7 +837,7 @@ func (l *Login) appendUserGrants(ctx context.Context, userGrants []*domain.UserG return nil } -func (l *Login) externalAuthFailed(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, tokens *oidc.Tokens, user idp.User, err error) { +func (l *Login) externalAuthFailed(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, tokens *oidc.Tokens[*oidc.IDTokenClaims], user idp.User, err error) { if _, actionErr := l.runPostExternalAuthenticationActions(&domain.ExternalUser{}, tokens, authReq, r, user, err); actionErr != nil { logging.WithError(err).Error("both external user authentication and action post authentication failed") } @@ -845,7 +845,7 @@ func (l *Login) externalAuthFailed(w http.ResponseWriter, r *http.Request, authR } // tokens extracts the oidc.Tokens for backwards compatibility of PostExternalAuthenticationActions -func tokens(session idp.Session) *oidc.Tokens { +func tokens(session idp.Session) *oidc.Tokens[*oidc.IDTokenClaims] { switch s := session.(type) { case *openid.Session: return s.Tokens diff --git a/internal/api/ui/login/jwt_handler.go b/internal/api/ui/login/jwt_handler.go index fd5eac88c6..970b47e129 100644 --- a/internal/api/ui/login/jwt_handler.go +++ b/internal/api/ui/login/jwt_handler.go @@ -81,7 +81,7 @@ func (l *Login) handleJWTExtraction(w http.ResponseWriter, r *http.Request, auth l.renderError(w, r, authReq, err) return } - session := &jwt.Session{Provider: provider, Tokens: &oidc.Tokens{IDToken: token, Token: &oauth2.Token{}}} + session := &jwt.Session{Provider: provider, Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{IDToken: token, Token: &oauth2.Token{}}} user, err := session.FetchUser(r.Context()) if err != nil { if _, actionErr := l.runPostExternalAuthenticationActions(new(domain.ExternalUser), tokens(session), authReq, r, user, err); actionErr != nil { diff --git a/internal/auth/repository/eventsourcing/eventstore/refresh_token.go b/internal/auth/repository/eventsourcing/eventstore/refresh_token.go index b1f7a34429..a57c7e748c 100644 --- a/internal/auth/repository/eventsourcing/eventstore/refresh_token.go +++ b/internal/auth/repository/eventsourcing/eventstore/refresh_token.go @@ -26,11 +26,22 @@ type RefreshTokenRepo struct { KeyAlgorithm crypto.EncryptionAlgorithm } -func (r *RefreshTokenRepo) RefreshTokenByID(ctx context.Context, refreshToken string) (*usr_model.RefreshTokenView, error) { +func (r *RefreshTokenRepo) RefreshTokenByToken(ctx context.Context, refreshToken string) (*usr_model.RefreshTokenView, error) { userID, tokenID, token, err := domain.FromRefreshToken(refreshToken, r.KeyAlgorithm) if err != nil { return nil, err } + tokenView, err := r.RefreshTokenByID(ctx, tokenID, userID) + if err != nil { + return nil, err + } + if tokenView.Token != token { + return nil, errors.ThrowNotFound(nil, "EVENT-5Bm9s", "Errors.User.RefreshToken.Invalid") + } + return tokenView, nil +} + +func (r *RefreshTokenRepo) RefreshTokenByID(ctx context.Context, tokenID, userID string) (*usr_model.RefreshTokenView, error) { tokenView, viewErr := r.View.RefreshTokenByID(tokenID, authz.GetInstance(ctx).InstanceID()) if viewErr != nil && !errors.IsNotFound(viewErr) { return nil, viewErr @@ -57,7 +68,7 @@ func (r *RefreshTokenRepo) RefreshTokenByID(ctx context.Context, refreshToken st return model.RefreshTokenViewToModel(&viewToken), nil } } - if !tokenView.Expiration.After(time.Now()) || tokenView.Token != token { + if !tokenView.Expiration.After(time.Now()) { return nil, errors.ThrowNotFound(nil, "EVENT-5Bm9s", "Errors.User.RefreshToken.Invalid") } return model.RefreshTokenViewToModel(tokenView), nil diff --git a/internal/auth/repository/refresh_token.go b/internal/auth/repository/refresh_token.go index 8e353dc94c..9053ccf708 100644 --- a/internal/auth/repository/refresh_token.go +++ b/internal/auth/repository/refresh_token.go @@ -7,6 +7,7 @@ import ( ) type RefreshTokenRepository interface { - RefreshTokenByID(ctx context.Context, refreshToken string) (*model.RefreshTokenView, error) + RefreshTokenByID(ctx context.Context, tokenID, userID string) (*model.RefreshTokenView, error) + RefreshTokenByToken(ctx context.Context, refreshToken string) (*model.RefreshTokenView, error) SearchMyRefreshTokens(ctx context.Context, userID string, request *model.RefreshTokenSearchRequest) (*model.RefreshTokenSearchResponse, error) } diff --git a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go index a48e5dcf7e..4ef653d207 100644 --- a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go +++ b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go @@ -153,11 +153,11 @@ func (repo *TokenVerifierRepo) getTokenIDAndSubject(ctx context.Context, accessT tokenIDSubject, err := repo.decryptAccessToken(accessToken) if err != nil { // if decryption did not work, it might be a JWT - accessTokenClaims, err := op.VerifyAccessToken(ctx, accessToken, repo.jwtTokenVerifier(ctx)) + accessTokenClaims, err := op.VerifyAccessToken[*oidc.AccessTokenClaims](ctx, accessToken, repo.jwtTokenVerifier(ctx)) if err != nil { return "", "", false } - return accessTokenClaims.GetTokenID(), accessTokenClaims.GetSubject(), true + return accessTokenClaims.JWTID, accessTokenClaims.Subject, true } splitToken := strings.Split(tokenIDSubject, ":") if len(splitToken) != 2 { diff --git a/internal/idp/providers/azuread/session_test.go b/internal/idp/providers/azuread/session_test.go index 884841fa43..5c6c45b4ef 100644 --- a/internal/idp/providers/azuread/session_test.go +++ b/internal/idp/providers/azuread/session_test.go @@ -30,7 +30,7 @@ func TestSession_FetchUser(t *testing.T) { options []ProviderOptions authURL string code string - tokens *oidc.Tokens + tokens *oidc.Tokens[*oidc.IDTokenClaims] } type want struct { err func(error) bool @@ -87,7 +87,7 @@ func TestSession_FetchUser(t *testing.T) { Reply(http.StatusInternalServerError) }, authURL: "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid+profile+email&state=testState", - tokens: &oidc.Tokens{ + tokens: &oidc.Tokens[*oidc.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: oidc.BearerToken, @@ -125,7 +125,7 @@ func TestSession_FetchUser(t *testing.T) { JSON(userinfo()) }, authURL: "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid+profile+email&state=testState", - tokens: &oidc.Tokens{ + tokens: &oidc.Tokens[*oidc.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: oidc.BearerToken, @@ -189,7 +189,7 @@ func TestSession_FetchUser(t *testing.T) { JSON(userinfo()) }, authURL: "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid+profile+email&state=testState", - tokens: &oidc.Tokens{ + tokens: &oidc.Tokens[*oidc.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: oidc.BearerToken, diff --git a/internal/idp/providers/github/session_test.go b/internal/idp/providers/github/session_test.go index 9c40a0bb1d..2ad9f449fc 100644 --- a/internal/idp/providers/github/session_test.go +++ b/internal/idp/providers/github/session_test.go @@ -27,7 +27,7 @@ func TestSession_FetchUser(t *testing.T) { httpMock func() authURL string code string - tokens *oidc.Tokens + tokens *oidc.Tokens[*oidc.IDTokenClaims] scopes []string options []oauth.ProviderOpts } @@ -93,7 +93,7 @@ func TestSession_FetchUser(t *testing.T) { Reply(http.StatusInternalServerError) }, authURL: "https://github.com/login/oauth/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&state=testState", - tokens: &oidc.Tokens{ + tokens: &oidc.Tokens[*oidc.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: oidc.BearerToken, @@ -122,7 +122,7 @@ func TestSession_FetchUser(t *testing.T) { JSON(userinfo()) }, authURL: "https://github.com/login/oauth/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&state=testState", - tokens: &oidc.Tokens{ + tokens: &oidc.Tokens[*oidc.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: oidc.BearerToken, diff --git a/internal/idp/providers/gitlab/session_test.go b/internal/idp/providers/gitlab/session_test.go index ff5c218132..de59044326 100644 --- a/internal/idp/providers/gitlab/session_test.go +++ b/internal/idp/providers/gitlab/session_test.go @@ -27,7 +27,7 @@ func TestProvider_FetchUser(t *testing.T) { httpMock func() authURL string code string - tokens *openid.Tokens + tokens *openid.Tokens[*openid.IDTokenClaims] options []oidc.ProviderOpts } type want struct { @@ -85,7 +85,7 @@ func TestProvider_FetchUser(t *testing.T) { JSON(userinfo()) }, authURL: "https://gitlab.com/oauth/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState", - tokens: &openid.Tokens{ + tokens: &openid.Tokens[*openid.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: openid.BearerToken, @@ -122,7 +122,7 @@ func TestProvider_FetchUser(t *testing.T) { JSON(userinfo()) }, authURL: "https://gitlab.com/oauth/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState", - tokens: &openid.Tokens{ + tokens: &openid.Tokens[*openid.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: openid.BearerToken, @@ -200,18 +200,26 @@ func TestProvider_FetchUser(t *testing.T) { } } -func userinfo() openid.UserInfoSetter { - info := openid.NewUserInfo() - info.SetSubject("sub") - info.SetGivenName("firstname") - info.SetFamilyName("lastname") - info.SetName("firstname lastname") - info.SetNickname("nickname") - info.SetPreferredUsername("username") - info.SetEmail("email", true) - info.SetPhone("phone", true) - info.SetLocale(language.English) - info.SetPicture("picture") - info.SetProfile("profile") - return info +func userinfo() *openid.UserInfo { + return &openid.UserInfo{ + Subject: "sub", + UserInfoProfile: openid.UserInfoProfile{ + GivenName: "firstname", + FamilyName: "lastname", + Name: "firstname lastname", + Nickname: "nickname", + PreferredUsername: "username", + Locale: openid.NewLocale(language.English), + Picture: "picture", + Profile: "profile", + }, + UserInfoEmail: openid.UserInfoEmail{ + Email: "email", + EmailVerified: openid.Bool(true), + }, + UserInfoPhone: openid.UserInfoPhone{ + PhoneNumber: "phone", + PhoneNumberVerified: true, + }, + } } diff --git a/internal/idp/providers/google/google.go b/internal/idp/providers/google/google.go index 4c1506c6a6..7036d4e101 100644 --- a/internal/idp/providers/google/google.go +++ b/internal/idp/providers/google/google.go @@ -30,7 +30,7 @@ func New(clientID, clientSecret, redirectURI string, scopes []string, opts ...oi }, nil } -var userMapper = func(info openid.UserInfo) idp.User { +var userMapper = func(info *openid.UserInfo) idp.User { return &User{oidc.DefaultMapper(info)} } diff --git a/internal/idp/providers/google/session_test.go b/internal/idp/providers/google/session_test.go index 6387318d9f..d3edde0ea3 100644 --- a/internal/idp/providers/google/session_test.go +++ b/internal/idp/providers/google/session_test.go @@ -27,7 +27,7 @@ func TestSession_FetchUser(t *testing.T) { httpMock func() authURL string code string - tokens *openid.Tokens + tokens *openid.Tokens[*openid.IDTokenClaims] } type want struct { err error @@ -85,7 +85,7 @@ func TestSession_FetchUser(t *testing.T) { JSON(userinfo()) }, authURL: "https://accounts.google.com/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState", - tokens: &openid.Tokens{ + tokens: &openid.Tokens[*openid.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: openid.BearerToken, @@ -122,7 +122,7 @@ func TestSession_FetchUser(t *testing.T) { JSON(userinfo()) }, authURL: "https://accounts.google.com/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState", - tokens: &openid.Tokens{ + tokens: &openid.Tokens[*openid.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: openid.BearerToken, @@ -201,15 +201,22 @@ func TestSession_FetchUser(t *testing.T) { } } -func userinfo() openid.UserInfoSetter { - info := openid.NewUserInfo() - info.SetSubject("sub") - info.SetGivenName("firstname") - info.SetFamilyName("lastname") - info.SetName("firstname lastname") - info.SetEmail("email", true) - info.SetLocale(language.English) - info.SetPicture("picture") - info.AppendClaims("hd", "hosted domain") - return info +func userinfo() *openid.UserInfo { + return &openid.UserInfo{ + Subject: "sub", + UserInfoProfile: openid.UserInfoProfile{ + GivenName: "firstname", + FamilyName: "lastname", + Name: "firstname lastname", + Locale: openid.NewLocale(language.English), + Picture: "picture", + }, + UserInfoEmail: openid.UserInfoEmail{ + Email: "email", + EmailVerified: openid.Bool(true), + }, + Claims: map[string]any{ + "hd": "hosted domain", + }, + } } diff --git a/internal/idp/providers/jwt/session.go b/internal/idp/providers/jwt/session.go index 3c47d436ac..b0b69293e8 100644 --- a/internal/idp/providers/jwt/session.go +++ b/internal/idp/providers/jwt/session.go @@ -27,7 +27,7 @@ var ( type Session struct { *Provider AuthURL string - Tokens *oidc.Tokens + Tokens *oidc.Tokens[*oidc.IDTokenClaims] } // GetAuthURL implements the [idp.Session] interface @@ -48,12 +48,12 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) { return &User{s.Tokens.IDTokenClaims}, nil } -func (s *Session) validateToken(ctx context.Context, token string) (oidc.IDTokenClaims, error) { +func (s *Session) validateToken(ctx context.Context, token string) (*oidc.IDTokenClaims, error) { logging.Debug("begin token validation") // TODO: be able to specify them in the template: https://github.com/zitadel/zitadel/issues/5322 offset := 3 * time.Second maxAge := time.Hour - claims := oidc.EmptyIDTokenClaims() + claims := new(oidc.IDTokenClaims) payload, err := oidc.ParseToken(token, claims) if err != nil { return nil, fmt.Errorf("%w: malformed jwt payload: %v", ErrInvalidToken, err) @@ -84,45 +84,57 @@ func (s *Session) validateToken(ctx context.Context, token string) (oidc.IDToken } type User struct { - oidc.IDTokenClaims + *oidc.IDTokenClaims } func (u *User) GetID() string { - return u.IDTokenClaims.GetSubject() + return u.Subject } func (u *User) GetFirstName() string { - return u.IDTokenClaims.GetGivenName() + return u.GivenName } func (u *User) GetLastName() string { - return u.IDTokenClaims.GetFamilyName() + return u.FamilyName } func (u *User) GetDisplayName() string { - return u.IDTokenClaims.GetName() + return u.Name } func (u *User) GetNickname() string { - return u.IDTokenClaims.GetNickname() + return u.Nickname } -func (u *User) GetPhone() domain.PhoneNumber { - return domain.PhoneNumber(u.IDTokenClaims.GetPhoneNumber()) -} - -func (u *User) IsPhoneVerified() bool { - return u.IDTokenClaims.IsPhoneNumberVerified() -} - -func (u *User) GetPreferredLanguage() language.Tag { - return u.IDTokenClaims.GetLocale() -} - -func (u *User) GetAvatarURL() string { - return u.IDTokenClaims.GetPicture() +func (u *User) GetPreferredUsername() string { + return u.PreferredUsername } func (u *User) GetEmail() domain.EmailAddress { - return domain.EmailAddress(u.IDTokenClaims.GetEmail()) + return domain.EmailAddress(u.Email) +} + +func (u *User) IsEmailVerified() bool { + return bool(u.EmailVerified) +} + +func (u *User) GetPhone() domain.PhoneNumber { + return domain.PhoneNumber(u.IDTokenClaims.PhoneNumber) +} + +func (u *User) IsPhoneVerified() bool { + return u.PhoneNumberVerified +} + +func (u *User) GetPreferredLanguage() language.Tag { + return u.Locale.Tag() +} + +func (u *User) GetAvatarURL() string { + return u.Picture +} + +func (u *User) GetProfile() string { + return u.Profile } diff --git a/internal/idp/providers/jwt/session_test.go b/internal/idp/providers/jwt/session_test.go index 4aca6692dd..ae79ed22e5 100644 --- a/internal/idp/providers/jwt/session_test.go +++ b/internal/idp/providers/jwt/session_test.go @@ -30,7 +30,7 @@ func TestSession_FetchUser(t *testing.T) { encryptionAlg func(t *testing.T) crypto.EncryptionAlgorithm httpMock func(issuer string) authURL string - tokens *oidc.Tokens + tokens *oidc.Tokens[*oidc.IDTokenClaims] } type want struct { err func(error) bool @@ -93,7 +93,7 @@ func TestSession_FetchUser(t *testing.T) { JSON(keys(t)) }, authURL: "https://auth.com/jwt?authRequestID=testState", - tokens: &oidc.Tokens{ + tokens: &oidc.Tokens[*oidc.IDTokenClaims]{ Token: &oauth2.Token{}, IDToken: "invalidToken", }, @@ -121,26 +121,32 @@ func TestSession_FetchUser(t *testing.T) { JSON(keys(t)) }, authURL: "https://auth.com/jwt?authRequestID=testState", - tokens: &oidc.Tokens{ + tokens: &oidc.Tokens[*oidc.IDTokenClaims]{ Token: &oauth2.Token{}, IDToken: idToken(t, "https://jwt.com"), - IDTokenClaims: func() oidc.IDTokenClaims { - claims := oidc.EmptyIDTokenClaims() - userinfo := oidc.NewUserInfo() - userinfo.SetSubject("sub") - userinfo.SetPicture("picture") - userinfo.SetName("firstname lastname") - userinfo.SetEmail("email", true) - userinfo.SetGivenName("firstname") - userinfo.SetFamilyName("lastname") - userinfo.SetNickname("nickname") - userinfo.SetPreferredUsername("username") - userinfo.SetProfile("profile") - userinfo.SetPhone("phone", true) - userinfo.SetLocale(language.English) - claims.SetUserinfo(userinfo) - return claims - }(), + IDTokenClaims: &oidc.IDTokenClaims{ + TokenClaims: oidc.TokenClaims{ + Subject: "sub", + }, + UserInfoProfile: oidc.UserInfoProfile{ + Picture: "picture", + Name: "firstname lastname", + GivenName: "firstname", + FamilyName: "lastname", + Nickname: "nickname", + PreferredUsername: "username", + Profile: "profile", + Locale: oidc.NewLocale(language.English), + }, + UserInfoEmail: oidc.UserInfoEmail{ + Email: "email", + EmailVerified: oidc.Bool(true), + }, + UserInfoPhone: oidc.UserInfoPhone{ + PhoneNumber: "phone", + PhoneNumberVerified: true, + }, + }, }, }, want: want{ @@ -219,19 +225,25 @@ func idToken(t *testing.T, issuer string) string { "clientID", 0, ) - info := oidc.NewUserInfo() - info.SetSubject("sub") - info.SetGivenName("firstname") - info.SetFamilyName("lastname") - info.SetName("firstname lastname") - info.SetNickname("nickname") - info.SetPreferredUsername("username") - info.SetEmail("email", true) - info.SetPhone("phone", true) - info.SetLocale(language.English) - info.SetPicture("picture") - info.SetProfile("profile") - claims.SetUserinfo(info) + claims.UserInfoProfile = oidc.UserInfoProfile{ + GivenName: "firstname", + FamilyName: "lastname", + Name: "firstname lastname", + Nickname: "nickname", + PreferredUsername: "username", + Locale: oidc.NewLocale(language.English), + Picture: "picture", + Profile: "profile", + } + claims.UserInfoEmail = oidc.UserInfoEmail{ + Email: "email", + EmailVerified: oidc.Bool(true), + } + claims.UserInfoPhone = oidc.UserInfoPhone{ + PhoneNumber: "phone", + PhoneNumberVerified: true, + } + privateKey, err := crypto.BytesToPrivateKey([]byte(`-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAs38btwb3c7r0tMaQpGvBmY+mPwMU/LpfuPoC0k2t4RsKp0fv 40SMl50CRrHgk395wch8PMPYbl3+8TtYAJuyrFALIj3Ff1UcKIk0hOH5DDsfh7/q diff --git a/internal/idp/providers/oauth/session.go b/internal/idp/providers/oauth/session.go index 3f9ccd23b3..760fcefcfa 100644 --- a/internal/idp/providers/oauth/session.go +++ b/internal/idp/providers/oauth/session.go @@ -20,7 +20,7 @@ var _ idp.Session = (*Session)(nil) type Session struct { AuthURL string Code string - Tokens *oidc.Tokens + Tokens *oidc.Tokens[*oidc.IDTokenClaims] Provider *Provider } @@ -55,7 +55,7 @@ func (s *Session) authorize(ctx context.Context) (err error) { if s.Code == "" { return ErrCodeMissing } - s.Tokens, err = rp.CodeExchange(ctx, s.Code, s.Provider.RelyingParty) + s.Tokens, err = rp.CodeExchange[*oidc.IDTokenClaims](ctx, s.Code, s.Provider.RelyingParty) if err != nil { return err } diff --git a/internal/idp/providers/oauth/session_test.go b/internal/idp/providers/oauth/session_test.go index f5cfc36e1e..9901ea11c3 100644 --- a/internal/idp/providers/oauth/session_test.go +++ b/internal/idp/providers/oauth/session_test.go @@ -26,7 +26,7 @@ func TestProvider_FetchUser(t *testing.T) { userMapper func() idp.User authURL string code string - tokens *oidc.Tokens + tokens *oidc.Tokens[*oidc.IDTokenClaims] } type want struct { err func(error) bool @@ -97,7 +97,7 @@ func TestProvider_FetchUser(t *testing.T) { return NewUserMapper("userID") }, authURL: "https://oauth2.com/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=user&state=testState", - tokens: &oidc.Tokens{ + tokens: &oidc.Tokens[*oidc.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: oidc.BearerToken, @@ -137,7 +137,7 @@ func TestProvider_FetchUser(t *testing.T) { return NewUserMapper("userID") }, authURL: "https://issuer.com/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=user&state=testState", - tokens: &oidc.Tokens{ + tokens: &oidc.Tokens[*oidc.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: oidc.BearerToken, diff --git a/internal/idp/providers/oidc/oidc.go b/internal/idp/providers/oidc/oidc.go index ecd37db7d8..dbd0c76f95 100644 --- a/internal/idp/providers/oidc/oidc.go +++ b/internal/idp/providers/oidc/oidc.go @@ -21,7 +21,7 @@ type Provider struct { isAutoCreation bool isAutoUpdate bool useIDToken bool - userInfoMapper func(info oidc.UserInfo) idp.User + userInfoMapper func(info *oidc.UserInfo) idp.User authOptions []rp.AuthURLOpt } @@ -77,9 +77,9 @@ func WithSelectAccount() ProviderOpts { } } -type UserInfoMapper func(info oidc.UserInfo) idp.User +type UserInfoMapper func(info *oidc.UserInfo) idp.User -var DefaultMapper UserInfoMapper = func(info oidc.UserInfo) idp.User { +var DefaultMapper UserInfoMapper = func(info *oidc.UserInfo) idp.User { return NewUser(info) } diff --git a/internal/idp/providers/oidc/oidc_test.go b/internal/idp/providers/oidc/oidc_test.go index 71f110a658..c2310ac0d8 100644 --- a/internal/idp/providers/oidc/oidc_test.go +++ b/internal/idp/providers/oidc/oidc_test.go @@ -21,7 +21,7 @@ func TestProvider_BeginAuth(t *testing.T) { clientSecret string redirectURI string scopes []string - userMapper func(info oidc.UserInfo) idp.User + userMapper func(info *oidc.UserInfo) idp.User httpMock func(issuer string) opts []ProviderOpts } @@ -82,7 +82,7 @@ func TestProvider_Options(t *testing.T) { clientSecret string redirectURI string scopes []string - userMapper func(info oidc.UserInfo) idp.User + userMapper func(info *oidc.UserInfo) idp.User opts []ProviderOpts httpMock func(issuer string) } diff --git a/internal/idp/providers/oidc/session.go b/internal/idp/providers/oidc/session.go index fb1aa9549f..67b38cd1a8 100644 --- a/internal/idp/providers/oidc/session.go +++ b/internal/idp/providers/oidc/session.go @@ -21,7 +21,7 @@ type Session struct { Provider *Provider AuthURL string Code string - Tokens *oidc.Tokens + Tokens *oidc.Tokens[*oidc.IDTokenClaims] } // GetAuthURL implements the [idp.Session] interface. @@ -48,7 +48,7 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) { return nil, err } if s.Provider.useIDToken { - info = s.Tokens.IDTokenClaims + info = s.Tokens.IDTokenClaims.GetUserInfo() } u := s.Provider.userInfoMapper(info) return u, nil @@ -58,50 +58,66 @@ func (s *Session) authorize(ctx context.Context) (err error) { if s.Code == "" { return ErrCodeMissing } - s.Tokens, err = rp.CodeExchange(ctx, s.Code, s.Provider.RelyingParty) + s.Tokens, err = rp.CodeExchange[*oidc.IDTokenClaims](ctx, s.Code, s.Provider.RelyingParty) return err } -func NewUser(info oidc.UserInfo) *User { +func NewUser(info *oidc.UserInfo) *User { return &User{UserInfo: info} } type User struct { - oidc.UserInfo + *oidc.UserInfo } func (u *User) GetID() string { - return u.GetSubject() + return u.Subject } func (u *User) GetFirstName() string { - return u.GetGivenName() + return u.GivenName } func (u *User) GetLastName() string { - return u.GetFamilyName() + return u.FamilyName } func (u *User) GetDisplayName() string { - return u.GetName() + return u.Name } -func (u *User) GetPhone() domain.PhoneNumber { - return domain.PhoneNumber(u.GetPhoneNumber()) +func (u *User) GetNickname() string { + return u.Nickname } -func (u *User) IsPhoneVerified() bool { - return u.IsPhoneNumberVerified() -} - -func (u *User) GetPreferredLanguage() language.Tag { - return u.GetLocale() -} - -func (u *User) GetAvatarURL() string { - return u.GetPicture() +func (u *User) GetPreferredUsername() string { + return u.PreferredUsername } func (u *User) GetEmail() domain.EmailAddress { - return domain.EmailAddress(u.UserInfo.GetEmail()) + return domain.EmailAddress(u.UserInfo.Email) +} + +func (u *User) IsEmailVerified() bool { + return bool(u.EmailVerified) +} + +func (u *User) GetPhone() domain.PhoneNumber { + return domain.PhoneNumber(u.PhoneNumber) +} + +func (u *User) IsPhoneVerified() bool { + return u.PhoneNumberVerified +} + +func (u *User) GetPreferredLanguage() language.Tag { + return u.Locale.Tag() +} + +func (u *User) GetAvatarURL() string { + return u.Picture +} + +func (u *User) GetProfile() string { + return u.Profile } diff --git a/internal/idp/providers/oidc/session_test.go b/internal/idp/providers/oidc/session_test.go index c84aaef33e..afaa358042 100644 --- a/internal/idp/providers/oidc/session_test.go +++ b/internal/idp/providers/oidc/session_test.go @@ -29,11 +29,11 @@ func TestSession_FetchUser(t *testing.T) { clientSecret string redirectURI string scopes []string - userMapper func(oidc.UserInfo) idp.User + userMapper func(*oidc.UserInfo) idp.User httpMock func(issuer string) authURL string code string - tokens *oidc.Tokens + tokens *oidc.Tokens[*oidc.IDTokenClaims] } type want struct { err error @@ -114,7 +114,7 @@ func TestSession_FetchUser(t *testing.T) { JSON(userinfo()) }, authURL: "https://issuer.com/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState", - tokens: &oidc.Tokens{ + tokens: &oidc.Tokens[*oidc.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: oidc.BearerToken, @@ -163,7 +163,7 @@ func TestSession_FetchUser(t *testing.T) { JSON(userinfo()) }, authURL: "https://issuer.com/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState", - tokens: &oidc.Tokens{ + tokens: &oidc.Tokens[*oidc.IDTokenClaims]{ Token: &oauth2.Token{ AccessToken: "accessToken", TokenType: oidc.BearerToken, @@ -294,20 +294,28 @@ func TestSession_FetchUser(t *testing.T) { } } -func userinfo() oidc.UserInfoSetter { - info := oidc.NewUserInfo() - info.SetSubject("sub") - info.SetGivenName("firstname") - info.SetFamilyName("lastname") - info.SetName("firstname lastname") - info.SetNickname("nickname") - info.SetPreferredUsername("username") - info.SetEmail("email", true) - info.SetPhone("phone", true) - info.SetLocale(language.English) - info.SetPicture("picture") - info.SetProfile("profile") - return info +func userinfo() *oidc.UserInfo { + return &oidc.UserInfo{ + Subject: "sub", + UserInfoProfile: oidc.UserInfoProfile{ + GivenName: "firstname", + FamilyName: "lastname", + Name: "firstname lastname", + Nickname: "nickname", + PreferredUsername: "username", + Locale: oidc.NewLocale(language.English), + Picture: "picture", + Profile: "profile", + }, + UserInfoEmail: oidc.UserInfoEmail{ + Email: "email", + EmailVerified: oidc.Bool(true), + }, + UserInfoPhone: oidc.UserInfoPhone{ + PhoneNumber: "phone", + PhoneNumberVerified: true, + }, + } } func tokenResponse(t *testing.T, issuer string) *oidc.AccessTokenResponse {