feat: support for session_state (#712)

* add default signature algorithm * implements session_state in auth_request.go * add test * Update pkg/op/auth_request.go link to the standard Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com> * add check_session_iframe --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com>
2025-02-24 19:50:38 +09:00 · 2025-02-24 19:50:38 +09:00 · 4ef9529012
commit 4ef9529012
parent eb98343a65
9 changed files with 97 additions and 7 deletions
--- a/pkg/op/auth_request.go
+++ b/pkg/op/auth_request.go
@ -38,6 +38,13 @@ type AuthRequest interface {
 	Done() bool
 }

+// AuthRequestSessionState should be implemented if [OpenID Connect Session Management](https://openid.net/specs/openid-connect-session-1_0.html) is supported
+type AuthRequestSessionState interface {
+	// GetSessionState returns session_state.
+	// session_state is related to OpenID Connect Session Management.
+	GetSessionState() string
+}
+
 type Authorizer interface {
 	Storage() Storage
 	Decoder() httphelper.Decoder
@ -103,8 +110,8 @@ func Authorize(w http.ResponseWriter, r *http.Request, authorizer Authorizer) {
 		}
 		return ValidateAuthRequestClient(ctx, authReq, client, verifier)
 	}
-	if validater, ok := authorizer.(AuthorizeValidator); ok {
-		validation = validater.ValidateAuthRequest
+	if validator, ok := authorizer.(AuthorizeValidator); ok {
+		validation = validator.ValidateAuthRequest
 	}
 	userID, err := validation(ctx, authReq, authorizer.Storage(), authorizer.IDTokenHintVerifier(ctx))
 	if err != nil {
@ -481,12 +488,19 @@ func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthReques
 		AuthRequestError(w, r, authReq, err, authorizer)
 		return
 	}
+	var sessionState string
+	authRequestSessionState, ok := authReq.(AuthRequestSessionState)
+	if ok {
+		sessionState = authRequestSessionState.GetSessionState()
+	}
 	codeResponse := struct {
-		Code  string `schema:"code"`
-		State string `schema:"state,omitempty"`
+		Code         string `schema:"code"`
+		State        string `schema:"state,omitempty"`
+		SessionState string `schema:"session_state,omitempty"`
 	}{
-		Code:  code,
-		State: authReq.GetState(),
+		Code:         code,
+		State:        authReq.GetState(),
+		SessionState: sessionState,
 	}

 	if authReq.GetResponseMode() == oidc.ResponseModeFormPost {