- Introduced CodeResponseType struct to encapsulate response data.
- Added handleFormPostResponse and handleRedirectResponse functions to manage different response modes.
- Created BuildAuthResponseCodeResponsePayload and BuildAuthResponseCallbackURL functions for better modularity in response generation.
Finally the RFC Best Current Practice for OAuth 2.0 Security has been approved.
According to the RFC:
> Authorization servers MUST support PKCE [RFC7636].
>
> If a client sends a valid PKCE code_challenge parameter in the authorization request, the authorization server MUST enforce the correct usage of code_verifier at the token endpoint.
Isn’t it time we strengthen PKCE support a bit more?
This PR updates the logic so that PKCE is always verified, even when the Auth Method is not "none".
* chore: updating go to 1.24
* fixup! chore: updating go to 1.24
* fixup! fixup! chore: updating go to 1.24
* fix device test (drop read error)
* drop older go versions
* drop unrelated formatter changes
---------
Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
* add default signature algorithm
* implements session_state in auth_request.go
* add test
* Update pkg/op/auth_request.go
link to the standard
Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com>
* add check_session_iframe
---------
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com>
This changes removes the requirement of the openid scope to be set for all token requests.
As this library also support OAuth2-only authentication mechanisms we still want to sanitize requested scopes, but not enforce the openid scope.
Related to https://github.com/zitadel/zitadel/discussions/8068
This change requires an additional argument to the op.RegisterLegacyServer constructor which passes the Authorize Callback Handler.
This allows implementations to use their own handler instead of the one provided by the package.
The current handler is exported for legacy behavior.
This change is not considered breaking, as RegisterLegacyServer is flagged experimental.
Related to https://github.com/zitadel/zitadel/issues/6882
This change updates to go-jose v4, which was a new major release.
jose.ParseSigned now expects the supported signing algorithms to be passed, on which we previously did our own check. As they use a dedicated type for this, the slice of string needs to be converted. The returned error also need to be handled in a non-standard way in order to stay compatible.
For OIDC v4 we should use the jose.SignatureAlgorithm type directly and wrap errors, instead of returned static defined errors.
Closes#583
For impersonation token exchange we need to persist the actor throughout token requests, including refresh token.
This PR adds the optional TokenActorRequest interface which allows to pass such actor.
* feat(op): Add response_mode: form_post
* Fix to parse the template ahead of time
* Fix to render the template in a buffer
* Remove unnecessary import
* Fix test
* Fix example client setting
* Make sure the client not to reuse the content of the response
* Fix error handling
* Add the response_mode param
* Allow implicit flow in the example app
* feat(rp): allow form_post in code exchange callback handler
---------
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
This change adds Go 1.22 as a build target and drops support for Go 1.20 and older. The golang.org/x/exp/slog import is migrated to log/slog.
Slog has been part of the Go standard library since Go 1.21. Therefore we are dropping support for older Go versions. This is in line of our support policy of "the latest two Go versions".
* feat(op): split the access and ID token hint verifiers
In zitadel we require different behaviors wrt public key expiry between access tokens and ID token hints.
This change splits the two verifiers in the OP.
The default is still based on Storage and passed to both verifier fields.
* add new options to tests
* fix: allow expired ID token hint to end sessions
This change adds a specific error for expired ID Token hints, including too old "issued at" and "max auth age".
The error is returned VerifyIDTokenHint so that the end session handler can choose to ignore this error.
This fixes the behavior to be in line with [OpenID Connect RP-Initiated Logout 1.0, section 4](https://openid.net/specs/openid-connect-rpinitiated-1_0.html#ValidationAndErrorHandling).
* Tes IDTokenHintExpiredError
* Add configurable CORS policy in OpenIDProvider
* Add configurable CORS policy to Server
* remove duplicated CORS middleware
* Allow nil CORS policy to be set to disable CORS middleware
* create a separate handler on webServer so type assertion works in tests
As introspection is a Oauth mechanism for resource servers only,
it does not make sense to get an oidc client by ID.
The original OP did not do this and now we make the server behavior similar.
