cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
343 commits 8 branches 227 tags 3.4 MiB
Commit graph

150 commits

Author SHA1 Message Date
David Sharnoff
34fee029d9 Add an additional, optional, op.Storage interface so that refresh tokens 
that are not JWTs do not cause failures when they randomly, sometimes, decrypt
without error

```go
// CanRefreshTokenInfo is an optional additional interface that Storage can support.
// Supporting CanRefreshTokenInfo is required to be able to revoke a refresh token that
// does not happen to also be a JWTs work properly.
type CanRefreshTokenInfo interface {
        // GetRefreshTokenInfo must return oidc.ErrInvalidRefreshToken when presented
	// with a token that is not a refresh token.
	GetRefreshTokenInfo(ctx context.Context, clientID string, token string) (userID string, tokenID string, err error)
}
```
 2022-11-14 14:09:00 -08:00
David Sharnoff
fdefbf61da Merge branch 'main' of github.com:zitadel/oidc into zitadel-main 2022-11-14 13:51:44 -08:00
David Sharnoff
4e302ca4da
bugfix: access token verifier opts was not used (#237) 2022-11-14 17:00:27 +01:00
Utku Özdemir
a314c1483f
fix: allow http schema for redirect url for native apps in dev mode (#242) 2022-11-14 16:59:56 +01:00
David Sharnoff
1aa75ec953
feat: allow id token hint verifier to specify algs (#229) 2022-11-14 16:59:33 +01:00
David Sharnoff
6b7baa5a30 bugfix: access token verifier opts was not used 2022-10-24 15:21:39 -07:00
David Sharnoff
87a37b219f
Merge branch 'zitadel:main' into main 2022-10-24 14:24:22 -07:00
David Sharnoff
ca938b229a feat: allow id token hint verifier to specify algs 2022-10-24 14:21:19 -07:00
David Sharnoff
763d69b4ca feat: add rp.RevokeToken 2022-10-24 12:50:39 -07:00
Florian Forster
4ac692bfd8
chore: house cleaning of the caos name and update sec (#232) 
* chore: house cleaning of the caos name and update sec

* some typos

* make fix non breakable

* Update SECURITY.md

Co-authored-by: Livio Spring <livio.a@gmail.com>

* Update SECURITY.md

Co-authored-by: Livio Spring <livio.a@gmail.com>

Co-authored-by: Livio Spring <livio.a@gmail.com>
 2022-10-17 09:13:54 +02:00
David Sharnoff
b5da6ec29b
chore(linting): apply gofumpt & goimports to all .go files (#225) 2022-10-05 09:33:10 +02:00
David Sharnoff
c4b7ef9160
fix: avoid potential race conditions (#220) 
* fix potential race condition during signer update

* avoid potential race conditions with lazy-initializers in OpenIDProvider

* avoid potential race lazy initializers in RelyingParty

* review feedback -- additional potential races

* add pre-calls to NewRelyingPartyOIDC too
 2022-10-04 07:23:59 +02:00
David Sharnoff
328d0e1251
feat: add access token verifier ops to openidProvider (#221) 2022-09-30 07:39:40 +02:00
David Sharnoff
2d248b1a1a
fix: Change op.tokenHandler to follow the same pattern as the rest of the endpoint handlers (#210) 
inside op: provide a standard endpoint handler that uses injected data.
 2022-09-30 07:39:23 +02:00
David Sharnoff
4b4b0e49e0
chore: update jwtProfileKeySet to match actual use (#219) 2022-09-30 07:24:47 +02:00
David Sharnoff
c0badf2329
chore: additional errors and error improvements that catch problems earlier 2022-09-30 07:18:48 +02:00
David Sharnoff
0d721d937e
chore: adjustments to comments for things found while implementing Storage 2022-09-30 07:18:08 +02:00
David Sharnoff
0b4d62c745
chore: add comments documenting Storage and AuthStorage (#193) 
* add comments documenting Storage and AuthStorage

* JWTTokenRequest is a pointer

* note that token strings are actually tokenIDs

* review feedback

* remove suggestion that CreateAccessToken could be called with retrun from AuthStorage.TokenRequestByRefreshToken
 2022-08-05 10:54:40 +02:00
Livio Spring
53ede2ee8c
fix: use default redirect uri when not passed on end_session endpoint (#201) 2022-07-27 08:36:43 +02:00
David Sharnoff
b84bcbed76
chore: add enumer for iota-defined types (#197) 
Co-authored-by: Livio Spring <livio.a@gmail.com>
 2022-07-25 20:06:49 +02:00
David Sharnoff
498b70bae1
chore: add some docs to NewOpenIDProvider() (#191) 
* add some docs to NewOpenIDProvider()

* typo
 2022-07-04 09:20:29 +02:00
Livio Spring
854e14b7c4
fix: state and auth code response encoding (#185) 
* fix: add state in access token response (implicit flow)

* fix: encode auth response correctly (when using query in redirect uri)

* fix query param handling
 2022-06-21 07:24:40 +02:00
James Batt
86fd502434
feat(op): implemented support for client_credentials grant (#172) 
* implemented support for client_credentials grant

* first draft

* Update pkg/op/token_client_credentials.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* updated placeholder interface name

* updated import paths

* ran mockgen

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
 2022-05-09 15:06:54 +02:00
Florian Forster
550f7877f2
fix: move to new org (#177) 
* chore: move to new org

* chore: change import

* fix: update logging lib

Co-authored-by: Fabienne <fabienne.gerschwiler@gmail.com>
Co-authored-by: adlerhurst <silvan.reusser@gmail.com>
 2022-04-26 23:48:29 +02:00
dependabot[bot]
ab76b3518f
chore(deps): bump github.com/caos/logging from 0.0.2 to 0.3.1 (#159) 
* chore(deps): bump github.com/caos/logging from 0.0.2 to 0.3.1

Bumps [github.com/caos/logging](https://github.com/caos/logging) from 0.0.2 to 0.3.1.
- [Release notes](https://github.com/caos/logging/releases)
- [Changelog](https://github.com/caos/logging/blob/master/.releaserc.js)
- [Commits](https://github.com/caos/logging/compare/v0.0.2...v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/caos/logging
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update logging

* update logging

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
 2022-03-16 11:14:57 +01:00
Livio Amstutz
c07557be02
feat: build the redirect after a successful login with AuthCallbackURL function (#164) 2022-03-16 10:55:29 +01:00
Livio Amstutz
e39146c98e fix: ensure signer has key on OP creation 2022-01-31 07:27:52 +01:00
Livio Amstutz
eb10752e48
feat: Token Revocation, Request Object and OP Certification (#130) 
FEATURES (and FIXES):
- support OAuth 2.0 Token Revocation [RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)
- handle request object using `request` parameter [OIDC Core 1.0 Request Object](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject)
- handle response mode
- added some information to the discovery endpoint:
  - revocation_endpoint (added with token revocation) 
  - revocation_endpoint_auth_methods_supported (added with token revocation)
  - revocation_endpoint_auth_signing_alg_values_supported (added with token revocation)
  - token_endpoint_auth_signing_alg_values_supported (was missing)
  - introspection_endpoint_auth_signing_alg_values_supported (was missing)
  - request_object_signing_alg_values_supported (added with request object)
  - request_parameter_supported (added with request object)
 - fixed `removeUserinfoScopes ` now returns the scopes without "userinfo" scopes (profile, email, phone, addedd) [source diff](https://github.com/caos/oidc/pull/130/files#diff-fad50c8c0f065d4dbc49d6c6a38f09c992c8f5d651a479ba00e31b500543559eL170-R171)
- improved error handling (pkg/oidc/error.go) and fixed some wrong OAuth errors (e.g. `invalid_grant` instead of `invalid_request`)
- improved MarshalJSON and added MarshalJSONWithStatus
- removed deprecated PEM decryption from `BytesToPrivateKey`  [source diff](https://github.com/caos/oidc/pull/130/files#diff-fe246e428e399ccff599627c71764de51387b60b4df84c67de3febd0954e859bL11-L19)
- NewAccessTokenVerifier now uses correct (internal) `accessTokenVerifier` [source diff](https://github.com/caos/oidc/pull/130/files#diff-3a01c7500ead8f35448456ef231c7c22f8d291710936cac91de5edeef52ffc72L52-R52)

BREAKING CHANGE:
- move functions from `utils` package into separate packages
- added various methods to the (OP) `Configuration` interface [source diff](https://github.com/caos/oidc/pull/130/files#diff-2538e0dfc772fdc37f057aecd6fcc2943f516c24e8be794cce0e368a26d20a82R19-R32)
- added revocationEndpoint to `WithCustomEndpoints ` [source diff](https://github.com/caos/oidc/pull/130/files#diff-19ae13a743eb7cebbb96492798b1bec556673eb6236b1387e38d722900bae1c3L355-R391)
- remove unnecessary context parameter from JWTProfileExchange [source diff](https://github.com/caos/oidc/pull/130/files#diff-4ed8f6affa4a9631fa8a034b3d5752fbb6a819107141aae00029014e950f7b4cL14)
 2021-11-02 13:21:35 +01:00
Livio Amstutz
a63fbee93d
fix: improve JWS and key verification (#128) 
* fix: improve JWS and key verification

* fix: get remote keys if no cached key matches

* fix: get remote keys if no cached key matches

* fix exactMatch

* fix exactMatch

* chore: change default branch name in .releaserc.js
 2021-09-14 15:13:44 +02:00
Beardo Moore
581885afb1
task: Ease dev host name constraints 
This changes the requirements for a issuer hostname to allow anything
that is `http`. The reason for this is because the user of the library
already has to make a conscious decision to set `CAOS_OIDC_DEV` so they
should already understand the risks of not using `https`. The primary
motivation for this change is to allow IdPs to be created in a
containerized integration test environment. Specifically setting up a
docker compose file that starts all parts of the system with a test IdP
using this library where the DNS name will not be `localhost`.
 2021-08-26 20:32:51 +00:00
Livio Amstutz
1132c9d93d
fix: removeUserinfoScopes return new slice (without manipulating passed one) (#110) 2021-07-21 08:27:38 +02:00
Livio Amstutz
8a35b89815
fix: supported ui locales from config (#107) 2021-07-09 09:20:03 +02:00
Livio Amstutz
58e27e8073 simplify KeyProvider interface 2021-06-30 14:10:38 +02:00
Livio Amstutz
0b446618c7 custom claims for assertion and jwt profile request 2021-06-23 14:01:31 +02:00
Livio Amstutz
e9fc710b1f Merge branch 'master' into jwt-profile-storage 
# Conflicts:
#	pkg/op/verifier_jwt_profile.go
 2021-06-23 13:51:20 +02:00
Livio Amstutz
850faa159d
fix: rp verification process (#95) 
* fix: rp verification process

* types

* comments

* fix cli client
 2021-06-23 11:08:54 +02:00
Livio Amstutz
39fef3e7fb fix: simplify JWTProfileVerifier interface 2021-06-21 14:04:38 +02:00
Livio Amstutz
400f5c4de4
fix: parse max_age and prompt correctly (and change scope type) (#105) 
* fix: parse max_age and prompt correctly (and change scope type)

* remove unnecessary omitempty
 2021-06-16 08:34:01 +02:00
Livio Amstutz
3e336a4075
fix: check refresh token grant type (#100) 2021-05-31 11:35:03 +02:00
Livio Amstutz
14faebbb77 fix: check grant types and add refresh token to discovery 2021-05-27 13:44:11 +02:00
Livio Amstutz
d362dd7546 handle error 2021-05-11 15:20:22 +02:00
Livio Amstutz
90b87289cb
Update pkg/op/token_code.go 
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
 2021-05-11 15:17:10 +02:00
Livio Amstutz
2a11a1979e rename storage methods and fix mocks 2021-05-11 10:48:11 +02:00
Livio Amstutz
3a46908051 Merge branch 'master' into refresh-token 2021-05-11 10:27:43 +02:00
Livio Amstutz
be04244212 amr and scopes 2021-05-11 10:26:25 +02:00
Livio Amstutz
540a7bd7be improve Loopback check 2021-04-29 12:43:21 +02:00
Livio Amstutz
5119d7aea3 begin refresh token 2021-04-29 09:20:01 +02:00
Livio Amstutz
72fc86164c fix: allow loopback redirect_uri for native apps 2021-04-26 14:31:26 +02:00
Livio Amstutz
a2601f1584
fix: return error when delegating user in jwt profile request (#94) 2021-04-23 11:53:03 +02:00
Livio Amstutz
8f6e2c5974 chore: improve signer log messages 2021-03-05 07:53:35 +01:00