Merge branch 'next' into next-main

2023-10-12 15:08:55 +03:00 · 2023-10-12 15:08:55 +03:00 · d9487ef77d
commit d9487ef77d
parent bb115d8f6a 0f8a0585bf
118 changed files with 6091 additions and 981 deletions
--- a/pkg/client/rs/introspect_example_test.go
+++ b/pkg/client/rs/introspect_example_test.go
@ -0,0 +1,52 @@
+package rs_test
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/zitadel/oidc/v3/pkg/client/rs"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+)
+
+type IntrospectionResponse struct {
+	Active     bool                     `json:"active"`
+	Scope      oidc.SpaceDelimitedArray `json:"scope,omitempty"`
+	ClientID   string                   `json:"client_id,omitempty"`
+	TokenType  string                   `json:"token_type,omitempty"`
+	Expiration oidc.Time                `json:"exp,omitempty"`
+	IssuedAt   oidc.Time                `json:"iat,omitempty"`
+	NotBefore  oidc.Time                `json:"nbf,omitempty"`
+	Subject    string                   `json:"sub,omitempty"`
+	Audience   oidc.Audience            `json:"aud,omitempty"`
+	Issuer     string                   `json:"iss,omitempty"`
+	JWTID      string                   `json:"jti,omitempty"`
+	Username   string                   `json:"username,omitempty"`
+	oidc.UserInfoProfile
+	oidc.UserInfoEmail
+	oidc.UserInfoPhone
+	Address *oidc.UserInfoAddress `json:"address,omitempty"`
+
+	// Foo and Bar are custom claims
+	Foo string `json:"foo,omitempty"`
+	Bar struct {
+		Val1 string `json:"val_1,omitempty"`
+		Val2 string `json:"val_2,omitempty"`
+	} `json:"bar,omitempty"`
+
+	// Claims are all the combined claims, including custom.
+	Claims map[string]any `json:"-,omitempty"`
+}
+
+func ExampleIntrospect_custom() {
+	rss, err := rs.NewResourceServerClientCredentials(context.TODO(), "http://localhost:8080", "clientid", "clientsecret")
+	if err != nil {
+		panic(err)
+	}
+
+	resp, err := rs.Introspect[*IntrospectionResponse](context.TODO(), rss, "accesstokenstring")
+	if err != nil {
+		panic(err)
+	}
+
+	fmt.Println(resp)
+}
--- a/pkg/client/rs/resource_server.go
+++ b/pkg/client/rs/resource_server.go
@ -6,9 +6,9 @@ import (
 	"net/http"
 	"time"

-	"github.com/zitadel/oidc/v2/pkg/client"
-	httphelper "github.com/zitadel/oidc/v2/pkg/http"
-	"github.com/zitadel/oidc/v2/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 type ResourceServer interface {
@ -42,14 +42,14 @@ func (r *resourceServer) AuthFn() (any, error) {
 	return r.authFn()
 }

-func NewResourceServerClientCredentials(issuer, clientID, clientSecret string, option ...Option) (ResourceServer, error) {
+func NewResourceServerClientCredentials(ctx context.Context, issuer, clientID, clientSecret string, option ...Option) (ResourceServer, error) {
 	authorizer := func() (any, error) {
 		return httphelper.AuthorizeBasic(clientID, clientSecret), nil
 	}
-	return newResourceServer(issuer, authorizer, option...)
+	return newResourceServer(ctx, issuer, authorizer, option...)
 }

-func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, options ...Option) (ResourceServer, error) {
+func NewResourceServerJWTProfile(ctx context.Context, issuer, clientID, keyID string, key []byte, options ...Option) (ResourceServer, error) {
 	signer, err := client.NewSignerFromPrivateKeyByte(key, keyID)
 	if err != nil {
 		return nil, err
@ -61,10 +61,10 @@ func NewResourceServerJWTProfile(issuer, clientID, keyID string, key []byte, opt
 		}
 		return client.ClientAssertionFormAuthorization(assertion), nil
 	}
-	return newResourceServer(issuer, authorizer, options...)
+	return newResourceServer(ctx, issuer, authorizer, options...)
 }

-func newResourceServer(issuer string, authorizer func() (any, error), options ...Option) (*resourceServer, error) {
+func newResourceServer(ctx context.Context, issuer string, authorizer func() (any, error), options ...Option) (*resourceServer, error) {
 	rs := &resourceServer{
 		issuer:     issuer,
 		httpClient: httphelper.DefaultHTTPClient,
@ -73,7 +73,7 @@ func newResourceServer(issuer string, authorizer func() (any, error), options ..
 		optFunc(rs)
 	}
 	if rs.introspectURL == "" || rs.tokenURL == "" {
-		config, err := client.Discover(rs.issuer, rs.httpClient)
+		config, err := client.Discover(ctx, rs.issuer, rs.httpClient)
 		if err != nil {
 			return nil, err
 		}
@ -91,12 +91,12 @@ func newResourceServer(issuer string, authorizer func() (any, error), options ..
 	return rs, nil
 }

-func NewResourceServerFromKeyFile(issuer, path string, options ...Option) (ResourceServer, error) {
+func NewResourceServerFromKeyFile(ctx context.Context, issuer, path string, options ...Option) (ResourceServer, error) {
 	c, err := client.ConfigFromKeyFile(path)
 	if err != nil {
 		return nil, err
 	}
-	return NewResourceServerJWTProfile(issuer, c.ClientID, c.KeyID, []byte(c.Key), options...)
+	return NewResourceServerJWTProfile(ctx, issuer, c.ClientID, c.KeyID, []byte(c.Key), options...)
 }

 type Option func(*resourceServer)
@ -116,21 +116,27 @@ func WithStaticEndpoints(tokenURL, introspectURL string) Option {
 	}
 }

-func Introspect(ctx context.Context, rp ResourceServer, token string) (*oidc.IntrospectionResponse, error) {
+// Introspect calls the [RFC7662] Token Introspection
+// endpoint and returns the response in an instance of type R.
+// [*oidc.IntrospectionResponse] can be used as a good example, or use a custom type if type-safe
+// access to custom claims is needed.
+//
+// [RFC7662]: https://www.rfc-editor.org/rfc/rfc7662
+func Introspect[R any](ctx context.Context, rp ResourceServer, token string) (resp R, err error) {
 	if rp.IntrospectionURL() == "" {
-		return nil, errors.New("resource server: introspection URL is empty")
+		return resp, errors.New("resource server: introspection URL is empty")
 	}
 	authFn, err := rp.AuthFn()
 	if err != nil {
-		return nil, err
+		return resp, err
 	}
-	req, err := httphelper.FormRequest(rp.IntrospectionURL(), &oidc.IntrospectionRequest{Token: token}, client.Encoder, authFn)
+	req, err := httphelper.FormRequest(ctx, rp.IntrospectionURL(), &oidc.IntrospectionRequest{Token: token}, client.Encoder, authFn)
 	if err != nil {
-		return nil, err
+		return resp, err
 	}
-	resp := new(oidc.IntrospectionResponse)
-	if err := httphelper.HttpRequest(rp.HttpClient(), req, resp); err != nil {
-		return nil, err
+
+	if err := httphelper.HttpRequest(rp.HttpClient(), req, &resp); err != nil {
+		return resp, err
 	}
 	return resp, nil
 }
--- a/pkg/client/rs/resource_server_test.go
+++ b/pkg/client/rs/resource_server_test.go
@ -6,6 +6,7 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 )

 func TestNewResourceServer(t *testing.T) {
@ -164,7 +165,7 @@ func TestNewResourceServer(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := newResourceServer(tt.args.issuer, tt.args.authorizer, tt.args.options...)
+			got, err := newResourceServer(context.Background(), tt.args.issuer, tt.args.authorizer, tt.args.options...)
 			if tt.wantErr {
 				assert.Error(t, err)
 				return
@ -187,6 +188,7 @@ func TestIntrospect(t *testing.T) {
 		token string
 	}
 	rp, err := newResourceServer(
+		context.Background(),
 		"https://accounts.spotify.com",
 		nil,
 	)
@ -208,7 +210,7 @@ func TestIntrospect(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, err := Introspect(tt.args.ctx, tt.args.rp, tt.args.token)
+			_, err := Introspect[*oidc.IntrospectionResponse](tt.args.ctx, tt.args.rp, tt.args.token)
 			if tt.wantErr {
 				assert.Error(t, err)
 				return