This change requires an additional argument to the op.RegisterLegacyServer constructor which passes the Authorize Callback Handler.
This allows implementations to use their own handler instead of the one provided by the package.
The current handler is exported for legacy behavior.
This change is not considered breaking, as RegisterLegacyServer is flagged experimental.
Related to https://github.com/zitadel/zitadel/issues/6882
* feat(rp): to use signing algorithms from discovery configuration (#574)
* feat: WithSigningAlgsFromDiscovery to verify IDTokenVerifier() behavior in RP with
This change updates to go-jose v4, which was a new major release.
jose.ParseSigned now expects the supported signing algorithms to be passed, on which we previously did our own check. As they use a dedicated type for this, the slice of string needs to be converted. The returned error also need to be handled in a non-standard way in order to stay compatible.
For OIDC v4 we should use the jose.SignatureAlgorithm type directly and wrap errors, instead of returned static defined errors.
Closes#583
With impersonation we assign an actor claim to our JWT/ID Tokens. This change adds the actor claim to the introspection response to follow suit.
This PR also adds the `auth_time` and `amr` claims for consistency.
For impersonation token exchange we need to persist the actor throughout token requests, including refresh token.
This PR adds the optional TokenActorRequest interface which allows to pass such actor.
* feat: extend token exchange response
This change adds fields to the token exchange and token claims types.
The `act` claim has been added to describe the actor in case of impersonation or delegation. An actor can be nested in case an obtained token is used as actor token to obtain impersonation or delegation. This allows creating a chain of actors. See [RFC 8693, section 4.1](https://www.rfc-editor.org/rfc/rfc8693#name-act-actor-claim).
The `id_token` field has been added to the Token Exchange response so an ID Token can be returned along with an access token. This is not specified in RFC 8693, but it allows us be consistent with OpenID responses when the scope `openid` is set, while the requested token type may remain access token.
* allow jwt profile for token exchange client
* add invalid target error
* feat(op): Add response_mode: form_post
* Fix to parse the template ahead of time
* Fix to render the template in a buffer
* Remove unnecessary import
* Fix test
* Fix example client setting
* Make sure the client not to reuse the content of the response
* Fix error handling
* Add the response_mode param
* Allow implicit flow in the example app
* feat(rp): allow form_post in code exchange callback handler
---------
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
This change adds Go 1.22 as a build target and drops support for Go 1.20 and older. The golang.org/x/exp/slog import is migrated to log/slog.
Slog has been part of the Go standard library since Go 1.21. Therefore we are dropping support for older Go versions. This is in line of our support policy of "the latest two Go versions".
* feat(op): split the access and ID token hint verifiers
In zitadel we require different behaviors wrt public key expiry between access tokens and ID token hints.
This change splits the two verifiers in the OP.
The default is still based on Storage and passed to both verifier fields.
* add new options to tests
* fix: allow expired ID token hint to end sessions
This change adds a specific error for expired ID Token hints, including too old "issued at" and "max auth age".
The error is returned VerifyIDTokenHint so that the end session handler can choose to ignore this error.
This fixes the behavior to be in line with [OpenID Connect RP-Initiated Logout 1.0, section 4](https://openid.net/specs/openid-connect-rpinitiated-1_0.html#ValidationAndErrorHandling).
* Tes IDTokenHintExpiredError
* fix(oidc): ignore unknown language tag in userinfo unmarshal
Open system reported an issue where a generic OpenID provider might return language tags like "gb".
These tags are well-formed but unknown and Go returns an error for it.
We already ignored unknown tags is ui_locale arrays lik in AuthRequest.
This change ignores singular unknown tags, like used in the userinfo `locale` claim.
* do not set nil to Locale field
* Add configurable CORS policy in OpenIDProvider
* Add configurable CORS policy to Server
* remove duplicated CORS middleware
* Allow nil CORS policy to be set to disable CORS middleware
* create a separate handler on webServer so type assertion works in tests
As introspection is a Oauth mechanism for resource servers only,
it does not make sense to get an oidc client by ID.
The original OP did not do this and now we make the server behavior similar.
