* first draft of a new server interface
* allow any response type
* complete interface docs
* refelct the format from the proposal
* intermediate commit with some methods implemented
* implement remaining token grant type methods
* implement remaining server methods
* error handling
* rewrite auth request validation
* define handlers, routes
* input validation and concrete handlers
* check if client credential client is authenticated
* copy and modify the routes test for the legacy server
* run integration tests against both Server and Provider
* remove unuse ValidateAuthRequestV2 function
* unit tests for error handling
* cleanup tokenHandler
* move server routest test
* unit test authorize
* handle client credentials in VerifyClient
* change code exchange route test
* finish http unit tests
* review server interface docs and spelling
* add withClient unit test
* server options
* cleanup unused GrantType method
* resolve typo comments
* make endpoints pointers to enable/disable them
* jwt profile base work
* jwt: correct the test expect
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
* feat(op): user slog for logging
integrate with golang.org/x/exp/slog for logging.
provide a middleware for request scoped logging.
BREAKING CHANGES:
1. OpenIDProvider and sub-interfaces get a Logger()
method to return the configured logger;
2. AuthRequestError now takes the complete Authorizer,
instead of only the encoder. So that it may use its Logger() method.
3. RequestError now takes a Logger as argument.
* use zitadel/logging
* finish op and testing
without middleware for now
* minimum go version 1.19
* update go mod
* log value testing only on go 1.20 or later
* finish the RP and example
* ping logging release
BREAKING CHANGE:
- rename RefreshAccessToken to RefreshToken
- RefreshToken returns *oidc.Tokens instead of *oauth2.Token
This change allows the return of the id_token in an explicit manner,
as part of the oidc.Tokens struct.
The return type is now consistent with the CodeExchange function.
When an id_token is returned, it is verified.
In case no id_token was received,
RefreshTokens will not return an error.
As per specifictation:
https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
Upon successful validation of the Refresh Token,
the response body is the Token Response of Section 3.1.3.3
except that it might not contain an id_token.
Closes#364
* oidc: add regression tests for token claim json
this helps to verify that the same JSON is produced,
after these types are refactored.
* refactor: use struct types for claim related types
BREAKING CHANGE:
The following types are changed from interface to struct type:
- AccessTokenClaims
- IDTokenClaims
- IntrospectionResponse
- UserInfo and related types.
The following methods of OPStorage now take a pointer to a struct type,
instead of an interface:
- SetUserinfoFromScopes
- SetUserinfoFromToken
- SetIntrospectionFromToken
The following functions are now generic, so that type-safe extension
of Claims is now possible:
- op.VerifyIDTokenHint
- op.VerifyAccessToken
- rp.VerifyTokens
- rp.VerifyIDToken
- Changed UserInfoAddress to pointer in UserInfo and
IntrospectionResponse.
This was needed to make omitempty work correctly.
- Copy or merge maps in IntrospectionResponse and SetUserInfo
* op: add example for VerifyAccessToken
* fix: rp: wrong assignment in WithIssuedAtMaxAge
WithIssuedAtMaxAge assigned its value to v.maxAge, which was wrong.
This change fixes that by assiging the duration to v.maxAgeIAT.
* rp: add VerifyTokens example
* oidc: add standard references to:
- IDTokenClaims
- IntrospectionResponse
- UserInfo
* only count coverage for `./pkg/...`
BREAKING CHANGE:
- op.NewOpenIDProvider
- op.NewDynamicOpenIDProvider
The call chain of above functions did not use the context anywhere.
This change removes the context from those fucntion arguments.
This change implements OAuth2 Token Exchange in OP according to RFC 8693 (and client code)
Some implementation details:
- OP parses and verifies subject/actor tokens natively if they were issued by OP
- Third-party tokens verification is also possible by implementing additional storage interface
- Token exchange can issue only OP's native tokens (id_token, access_token and refresh_token) with static issuer
2023-02-19 15:57:46 +02:00
Renamed from pkg/client/rp/integration_test.go (Browse further)
