cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
705 commits 8 branches 227 tags 3.4 MiB
Commit graph

705 commits

This branch
This branch
All branches
Author SHA1 Message Date
ORZ (Paul Orzel)
29d69ca2e0 add function to marshal aud into a string if the array has a len of 1, to comply with rfc 2025-06-20 09:39:40 +02:00
ORZ (Paul Orzel)
53c4d07b45 remove actions 2025-06-20 08:56:29 +02:00
ORZ (Paul Orzel)
154fbe6420 Revert "feat(op): always verify code challenge when available (#721)"
Some checks failed
Code scanning - action / CodeQL-Build (push) Failing after 2m48s
Details
Release / Go 1.23 test (push) Has been cancelled
Details
Release / Go 1.24 test (push) Has been cancelled
Details
Release / release (push) Has been cancelled
Details 
Breaks OIDC for some not yet updated applications, that we use.

This reverts commit c51628ea27.
 2025-06-20 08:44:27 +02:00
Fabienne Bühler
d6e37fa741
Merge pull request #758 from zitadel/hifabienne-patch-1 
chore: update issue templates
 2025-06-17 14:32:55 +02:00
Fabienne Bühler
8e1e5174fd
Delete .github/ISSUE_TEMPLATE/proposal.yaml 2025-06-17 11:17:14 +02:00
Fabienne Bühler
5618487a88
Update and rename improvement.yaml to enhancement.yaml 2025-06-17 11:16:34 +02:00
Fabienne Bühler
187878de63
update docs issue template, add type 2025-06-17 11:15:26 +02:00
Fabienne Bühler
e127c66db2
chore: update issue templates 2025-06-17 11:14:09 +02:00
dependabot[bot]
e1415ef2f3
chore(deps): bump golang.org/x/text from 0.25.0 to 0.26.0 (#755) 
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.25.0 to 0.26.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.25.0...v0.26.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-version: 0.26.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-06-10 09:50:55 +02:00
Livio Spring
f94bd541d7
feat: update end session request to pass all params according to specification (#754) 
* feat: update end session request to pass all params according to specification

* register encoder
 2025-06-05 13:19:51 +02:00
dependabot[bot]
7d57aaa999
chore(deps): bump codecov/codecov-action from 5.4.2 to 5.4.3 (#751) 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.4.2 to 5.4.3.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v5.4.2...v5.4.3)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: 5.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-20 15:22:02 +03:00
dependabot[bot]
668fb0d37a
chore(deps): bump golang.org/x/text from 0.24.0 to 0.25.0 (#742) 
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.24.0 to 0.25.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.24.0...v0.25.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-version: 0.25.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-08 08:04:53 +02:00
dependabot[bot]
4ed4d257ab
chore(deps): bump golang.org/x/oauth2 from 0.29.0 to 0.30.0 (#743) 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.29.0 to 0.30.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.29.0...v0.30.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.30.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-08 08:00:26 +02:00
Ayato
4f0ed79c0a
fix(op): Add mitigation for PKCE Downgrade Attack (#741) 
* fix(op): Add mitigation for PKCE downgrade attack

* chore(op): add test for PKCE verification
 2025-04-29 14:33:31 +00:00
Masahito Osako
5913c5a074
feat: enhance authentication response handling (#728) 
- Introduced CodeResponseType struct to encapsulate response data.
- Added handleFormPostResponse and handleRedirectResponse functions to manage different response modes.
- Created BuildAuthResponseCodeResponsePayload and BuildAuthResponseCallbackURL functions for better modularity in response generation.
 2025-04-29 14:17:28 +00:00
dependabot[bot]
b917cdc2e3
chore(deps): bump codecov/codecov-action from 5.4.0 to 5.4.2 (#737) 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.4.0 to 5.4.2.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v5.4.0...v5.4.2)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: 5.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-04-22 11:13:43 +02:00
dependabot[bot]
cb3ec3ac5f
chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 (#739) 
* chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.36.0 to 0.38.0.
- [Commits](https://github.com/golang/net/compare/v0.36.0...v0.38.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* update runner to ubuntu 24.04

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
 2025-04-22 11:05:39 +02:00
dependabot[bot]
7cc5fb6568
chore(deps): bump golang.org/x/text from 0.23.0 to 0.24.0 (#733) 
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.23.0 to 0.24.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.23.0...v0.24.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-version: 0.24.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-04-09 12:05:26 +00:00
dependabot[bot]
92972fd30f
chore(deps): bump golang.org/x/oauth2 from 0.28.0 to 0.29.0 (#734) 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.28.0 to 0.29.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.28.0...v0.29.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.29.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-04-09 15:03:06 +03:00
Ayato
c51628ea27
feat(op): always verify code challenge when available (#721) 
Finally the RFC Best Current Practice for OAuth 2.0 Security has been approved.

According to the RFC:

> Authorization servers MUST support PKCE [RFC7636].
> 
> If a client sends a valid PKCE code_challenge parameter in the authorization request, the authorization server MUST enforce the correct usage of code_verifier at the token endpoint.

Isn’t it time we strengthen PKCE support a bit more?

This PR updates the logic so that PKCE is always verified, even when the Auth Method is not "none".
 2025-03-24 18:00:04 +02:00
dependabot[bot]
7096406e71
chore(deps): bump github.com/zitadel/schema from 1.3.0 to 1.3.1 (#731) 
Bumps [github.com/zitadel/schema](https://github.com/zitadel/schema) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/zitadel/schema/releases)
- [Changelog](https://github.com/zitadel/schema/blob/main/.releaserc.js)
- [Commits](https://github.com/zitadel/schema/compare/v1.3.0...v1.3.1)

---
updated-dependencies:
- dependency-name: github.com/zitadel/schema
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-24 12:19:20 +02:00
dependabot[bot]
c91db9e47b
chore(deps): bump github.com/zitadel/logging from 0.6.1 to 0.6.2 (#730) 
Bumps [github.com/zitadel/logging](https://github.com/zitadel/logging) from 0.6.1 to 0.6.2.
- [Release notes](https://github.com/zitadel/logging/releases)
- [Changelog](https://github.com/zitadel/logging/blob/main/.releaserc.js)
- [Commits](https://github.com/zitadel/logging/compare/v0.6.1...v0.6.2)

---
updated-dependencies:
- dependency-name: github.com/zitadel/logging
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-24 12:11:07 +02:00
Iraq
f648c61cab
Merge pull request #729 from zitadel/update-go-version 
chore: run 'go mod tidy'
 2025-03-23 16:49:50 +00:00
Iraq Jaber
30acdaf63a chore: run 'go mod tidy' 2025-03-23 16:27:57 +00:00
dependabot[bot]
aeda5d7178
chore(deps): bump golang.org/x/text from 0.22.0 to 0.23.0 (#723) 
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.22.0 to 0.23.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.22.0...v0.23.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-17 10:05:10 +00:00
dependabot[bot]
f3ee647005
chore(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 (#727) 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.33.0 to 0.36.0.
- [Commits](https://github.com/golang/net/compare/v0.33.0...v0.36.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-17 12:02:56 +02:00
dependabot[bot]
c401ad6cb8
chore(deps): bump golang.org/x/oauth2 from 0.26.0 to 0.28.0 (#724) 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.26.0 to 0.28.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.26.0...v0.28.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-17 07:46:07 +01:00
Iraq
2c64de821d
chore: updating go to 1.24 (#726) 
* chore: updating go to 1.24

* fixup! chore: updating go to 1.24

* fixup! fixup! chore: updating go to 1.24

* fix device test (drop read error)

* drop older go versions

* drop unrelated formatter changes

---------

Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
 2025-03-14 16:12:26 +01:00
Tim Möhlmann
efd6fdad7a
fix: ignore empty json strings for locale (#678) 
* Revert "fix: ignore all unmarshal errors from locale (#673)"

This reverts commit fbf009fe75.

* fix: ignore empty json strings for locale
 2025-03-14 10:30:08 +00:00
BitMasher
7a767d8568
feat: add CanGetPrivateClaimsFromRequest interface (#717) 2025-03-12 14:00:29 +02:00
dependabot[bot]
eb2f912c5e
chore(deps): bump codecov/codecov-action from 5.3.1 to 5.4.0 (#722) 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.3.1 to 5.4.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v5.3.1...v5.4.0)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-07 16:37:54 +01:00
dependabot[bot]
6a80712fbe
chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#716) 
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.4 to 4.0.5.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.0.4...v4.0.5)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-02-25 12:00:02 +02:00
minami yoshihiko
4ef9529012
feat: support for session_state (#712) 
* add default signature algorithm

* implements session_state in auth_request.go

* add test

* Update pkg/op/auth_request.go

link to the standard

Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com>

* add check_session_iframe

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com>
 2025-02-24 10:50:38 +00:00
Steve Ruckdashel
eb98343a65
fix: migrate deprecated io/ioutil.ReadFile to os.ReadFile (#714) 2025-02-21 09:52:02 +00:00
mqf20
add254f60c
docs(example): fixed creation of refresh token (#711) 
Signed-off-by: mqf20 <mingqingfoo@gmail.com>
 2025-02-19 14:44:34 +02:00
mqf20
b1e5aca629
docs(example): check and extend refresh token expiration (#698) 
* extend refresh token expiration

* check refresh token expiration

* check refresh token expiration (fixed logic)

* formatting

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
 2025-02-13 11:48:04 +00:00
mqf20
c03a8c59ca
docs(example): check access token expiration (#702) 2025-02-13 11:34:29 +00:00
mqf20
37dd41e49b
docs(example): simplified deletion (#699) 
* simplified deletion

* added docs
 2025-02-13 11:26:00 +00:00
mqf20
03e5ff8345
docs(example): add auth time (#700) 2025-02-13 11:23:44 +00:00
dependabot[bot]
c3c1bd3a40
chore(deps): bump github.com/go-chi/chi/v5 from 5.2.0 to 5.2.1 (#706) 
Bumps [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) from 5.2.0 to 5.2.1.
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](https://github.com/go-chi/chi/compare/v5.2.0...v5.2.1)

---
updated-dependencies:
- dependency-name: github.com/go-chi/chi/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-02-05 13:45:18 +02:00
dependabot[bot]
0d46df908e
chore(deps): bump golang.org/x/text from 0.21.0 to 0.22.0 (#708) 
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.21.0 to 0.22.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.21.0...v0.22.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-02-05 10:11:18 +00:00
dependabot[bot]
4250aad1f7
chore(deps): bump golang.org/x/oauth2 from 0.25.0 to 0.26.0 (#707) 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.25.0 to 0.26.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.25.0...v0.26.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-02-05 12:08:45 +02:00
dependabot[bot]
8c9a536058
chore(deps): bump codecov/codecov-action from 5.1.2 to 5.3.1 (#703) 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.1.2 to 5.3.1.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v5.1.2...v5.3.1)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-01-28 10:29:28 +02:00
dependabot[bot]
24c96c361d
chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.8.0 to 4.8.1 (#701) 
Bumps [github.com/bmatcuk/doublestar/v4](https://github.com/bmatcuk/doublestar) from 4.8.0 to 4.8.1.
- [Release notes](https://github.com/bmatcuk/doublestar/releases)
- [Commits](https://github.com/bmatcuk/doublestar/compare/v4.8.0...v4.8.1)

---
updated-dependencies:
- dependency-name: github.com/bmatcuk/doublestar/v4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-01-27 17:37:23 +02:00
Ramon
de2fd41f40
fix: allow native clients to use https:// on localhost redirects (#691) 2025-01-17 13:53:19 +00:00
dependabot[bot]
867a4806fd
chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.7.1 to 4.8.0 (#696) 
Bumps [github.com/bmatcuk/doublestar/v4](https://github.com/bmatcuk/doublestar) from 4.7.1 to 4.8.0.
- [Release notes](https://github.com/bmatcuk/doublestar/releases)
- [Commits](https://github.com/bmatcuk/doublestar/compare/v4.7.1...v4.8.0)

---
updated-dependencies:
- dependency-name: github.com/bmatcuk/doublestar/v4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-01-17 14:51:01 +01:00
dependabot[bot]
1f6a0d5d89
chore(deps): bump golang.org/x/oauth2 from 0.24.0 to 0.25.0 (#695) 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.24.0 to 0.25.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.24.0...v0.25.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-01-06 10:47:02 +02:00
Danila Fominykh
a0f67c0b4b
feat: add redirect URI-s ENV setting to web clients (#693) 
Co-authored-by: FominykhDG <FominykhDG@cloudx.group>
 2025-01-03 08:27:01 +00:00
Stefan Benz
8d971dcad8
chore: bump dependencies (#694) 2024-12-30 12:47:05 +02:00
dependabot[bot]
6c90652dfb
chore(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2 (#692) 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.1.1 to 5.1.2.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v5.1.1...v5.1.2)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-12-30 11:00:57 +02:00