cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
343 commits 8 branches 227 tags 3.4 MiB
Commit graph

212 commits

Author SHA1 Message Date
David Sharnoff
34fee029d9 Add an additional, optional, op.Storage interface so that refresh tokens 
that are not JWTs do not cause failures when they randomly, sometimes, decrypt
without error

```go
// CanRefreshTokenInfo is an optional additional interface that Storage can support.
// Supporting CanRefreshTokenInfo is required to be able to revoke a refresh token that
// does not happen to also be a JWTs work properly.
type CanRefreshTokenInfo interface {
        // GetRefreshTokenInfo must return oidc.ErrInvalidRefreshToken when presented
	// with a token that is not a refresh token.
	GetRefreshTokenInfo(ctx context.Context, clientID string, token string) (userID string, tokenID string, err error)
}
```
 2022-11-14 14:09:00 -08:00
David Sharnoff
fdefbf61da Merge branch 'main' of github.com:zitadel/oidc into zitadel-main 2022-11-14 13:51:44 -08:00
David Sharnoff
bd47b5ddc4
feat: support EndSession with RelyingParty client (#230) 
* feat: support EndSession with RelyingPart client

* do not error if OP does not provide a redirect

* undo that last change, but noice error returns from EndSession

* ioutil.ReadAll, for now
 2022-11-14 17:01:19 +01:00
David Sharnoff
4e302ca4da
bugfix: access token verifier opts was not used (#237) 2022-11-14 17:00:27 +01:00
Utku Özdemir
a314c1483f
fix: allow http schema for redirect url for native apps in dev mode (#242) 2022-11-14 16:59:56 +01:00
David Sharnoff
1aa75ec953
feat: allow id token hint verifier to specify algs (#229) 2022-11-14 16:59:33 +01:00
David Sharnoff
89d1c90bf2
fix: WithPath on NewCookieHandler set domain instead! (#240) 2022-11-14 16:58:36 +01:00
David Sharnoff
f49406ec35 fix: WithPath on NewCookieHandler set domain instead! 2022-11-07 16:19:19 -08:00
David Sharnoff
6b7baa5a30 bugfix: access token verifier opts was not used 2022-10-24 15:21:39 -07:00
David Sharnoff
1a0978975a Merge branch 'main' of github.com:muir/oidc 2022-10-24 14:53:22 -07:00
David Sharnoff
e1fc781484 feat: add rp.RevokeToken 2022-10-24 14:52:21 -07:00
David Sharnoff
87a37b219f
Merge branch 'zitadel:main' into main 2022-10-24 14:24:22 -07:00
David Sharnoff
ca938b229a feat: allow id token hint verifier to specify algs 2022-10-24 14:21:19 -07:00
David Sharnoff
045d612e93 feat: support EndSession with RelyingPart client 2022-10-24 14:21:03 -07:00
David Sharnoff
763d69b4ca feat: add rp.RevokeToken 2022-10-24 12:50:39 -07:00
Florian Forster
4ac692bfd8
chore: house cleaning of the caos name and update sec (#232) 
* chore: house cleaning of the caos name and update sec

* some typos

* make fix non breakable

* Update SECURITY.md

Co-authored-by: Livio Spring <livio.a@gmail.com>

* Update SECURITY.md

Co-authored-by: Livio Spring <livio.a@gmail.com>

Co-authored-by: Livio Spring <livio.a@gmail.com>
 2022-10-17 09:13:54 +02:00
David Sharnoff
4bc4bfffe8
add op.AllAuthMethods (#233) 2022-10-17 08:07:19 +02:00
David Sharnoff
b5da6ec29b
chore(linting): apply gofumpt & goimports to all .go files (#225) 2022-10-05 09:33:10 +02:00
David Sharnoff
c4b7ef9160
fix: avoid potential race conditions (#220) 
* fix potential race condition during signer update

* avoid potential race conditions with lazy-initializers in OpenIDProvider

* avoid potential race lazy initializers in RelyingParty

* review feedback -- additional potential races

* add pre-calls to NewRelyingPartyOIDC too
 2022-10-04 07:23:59 +02:00
David Sharnoff
62daf4cc42
feat: add WithPath CookieHandlerOpt (#217) 2022-09-30 07:40:05 +02:00
David Sharnoff
328d0e1251
feat: add access token verifier ops to openidProvider (#221) 2022-09-30 07:39:40 +02:00
David Sharnoff
2d248b1a1a
fix: Change op.tokenHandler to follow the same pattern as the rest of the endpoint handlers (#210) 
inside op: provide a standard endpoint handler that uses injected data.
 2022-09-30 07:39:23 +02:00
David Sharnoff
88a98c03ea
fix: rp.RefreshAccessToken did not work (#216) 
* oidc.RefreshTokenRequest cannot be used to in a request to refresh tokens
because it does not explicitly include grant_types.

* fix merge issue

* undo accidental formatting changes
 2022-09-30 07:28:31 +02:00
David Sharnoff
4b4b0e49e0
chore: update jwtProfileKeySet to match actual use (#219) 2022-09-30 07:24:47 +02:00
David Sharnoff
c0badf2329
chore: additional errors and error improvements that catch problems earlier 2022-09-30 07:18:48 +02:00
David Sharnoff
0d721d937e
chore: adjustments to comments for things found while implementing Storage 2022-09-30 07:18:08 +02:00
Igor Morozov
fca6cf9433
feat: get all claims (#209) 2022-08-30 16:09:56 +02:00
David Sharnoff
94871afbcb
feat: add rp.RefreshAccessToken (#198) 
* chore: make tokenEndpointCaller public

* add RelyingParty function

* undo changes made by gofumpt

* undo more gofumpt changes

* undo more gofumpt changes
 2022-08-05 10:57:50 +02:00
David Sharnoff
0b4d62c745
chore: add comments documenting Storage and AuthStorage (#193) 
* add comments documenting Storage and AuthStorage

* JWTTokenRequest is a pointer

* note that token strings are actually tokenIDs

* review feedback

* remove suggestion that CreateAccessToken could be called with retrun from AuthStorage.TokenRequestByRefreshToken
 2022-08-05 10:54:40 +02:00
Livio Spring
53ede2ee8c
fix: use default redirect uri when not passed on end_session endpoint (#201) 2022-07-27 08:36:43 +02:00
David Sharnoff
b84bcbed76
chore: add enumer for iota-defined types (#197) 
Co-authored-by: Livio Spring <livio.a@gmail.com>
 2022-07-25 20:06:49 +02:00
Fabi
c1458d6392
Merge pull request #199 from zitadel/introspect 
feat: add all optional claims of the introspection response
 2022-07-21 15:18:36 +02:00
Livio Amstutz
653209a23c
feat: add all optional claims of the introspection response 2022-07-21 09:34:14 +02:00
David Sharnoff
5fb36bf4c2
fix: Add db scanner methods for SpaceDelimitedArray (#194) 2022-07-20 15:36:17 +02:00
David Sharnoff
498b70bae1
chore: add some docs to NewOpenIDProvider() (#191) 
* add some docs to NewOpenIDProvider()

* typo
 2022-07-04 09:20:29 +02:00
David Sharnoff
385d5c15da
define GrantType constants in one place (#189) 2022-06-29 09:39:32 +00:00
David Sharnoff
9f36a5a3a9
fix typo in filename (#188) 2022-06-29 11:37:21 +02:00
Livio Spring
854e14b7c4
fix: state and auth code response encoding (#185) 
* fix: add state in access token response (implicit flow)

* fix: encode auth response correctly (when using query in redirect uri)

* fix query param handling
 2022-06-21 07:24:40 +02:00
Jederson Zuchi
9b0954f3d4
feat(rp): Adding end_session endpoint to relaying party interface (#179) 2022-05-13 09:17:20 +02:00
James Batt
86fd502434
feat(op): implemented support for client_credentials grant (#172) 
* implemented support for client_credentials grant

* first draft

* Update pkg/op/token_client_credentials.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* updated placeholder interface name

* updated import paths

* ran mockgen

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
 2022-05-09 15:06:54 +02:00
Florian Forster
550f7877f2
fix: move to new org (#177) 
* chore: move to new org

* chore: change import

* fix: update logging lib

Co-authored-by: Fabienne <fabienne.gerschwiler@gmail.com>
Co-authored-by: adlerhurst <silvan.reusser@gmail.com>
 2022-04-26 23:48:29 +02:00
Livio Amstutz
c195452bb0
feat(rp): provide key by data (not only path) for jwt profile (#168) 2022-04-14 10:10:56 +02:00
dependabot[bot]
ab76b3518f
chore(deps): bump github.com/caos/logging from 0.0.2 to 0.3.1 (#159) 
* chore(deps): bump github.com/caos/logging from 0.0.2 to 0.3.1

Bumps [github.com/caos/logging](https://github.com/caos/logging) from 0.0.2 to 0.3.1.
- [Release notes](https://github.com/caos/logging/releases)
- [Changelog](https://github.com/caos/logging/blob/master/.releaserc.js)
- [Commits](https://github.com/caos/logging/compare/v0.0.2...v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/caos/logging
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update logging

* update logging

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
 2022-03-16 11:14:57 +01:00
Livio Amstutz
c07557be02
feat: build the redirect after a successful login with AuthCallbackURL function (#164) 2022-03-16 10:55:29 +01:00
Silvan
1b81a2e890
Merge pull request #151 from caos/sign-concurrency 2022-03-01 10:07:30 +01:00
Ydris Rebibane
5601add628
feat: Allow the use of a custom discovery endpoint (#152) 
* Allow the use of custom endpoints

* Remove the custom constrtouctor and replace with an optional argument to override the discovery endpoit
 2022-02-16 09:14:54 +01:00
Livio Amstutz
e39146c98e fix: ensure signer has key on OP creation 2022-01-31 07:27:52 +01:00
Livio Amstutz
7ea5ddf250 add missing import 2022-01-28 09:48:37 +01:00
Livio Amstutz
bcd9ec8d85 fix: handle keys without use in FindMatchingKey 2022-01-28 09:42:42 +01:00
Livio Amstutz
eb10752e48
feat: Token Revocation, Request Object and OP Certification (#130) 
FEATURES (and FIXES):
- support OAuth 2.0 Token Revocation [RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)
- handle request object using `request` parameter [OIDC Core 1.0 Request Object](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject)
- handle response mode
- added some information to the discovery endpoint:
  - revocation_endpoint (added with token revocation) 
  - revocation_endpoint_auth_methods_supported (added with token revocation)
  - revocation_endpoint_auth_signing_alg_values_supported (added with token revocation)
  - token_endpoint_auth_signing_alg_values_supported (was missing)
  - introspection_endpoint_auth_signing_alg_values_supported (was missing)
  - request_object_signing_alg_values_supported (added with request object)
  - request_parameter_supported (added with request object)
 - fixed `removeUserinfoScopes ` now returns the scopes without "userinfo" scopes (profile, email, phone, addedd) [source diff](https://github.com/caos/oidc/pull/130/files#diff-fad50c8c0f065d4dbc49d6c6a38f09c992c8f5d651a479ba00e31b500543559eL170-R171)
- improved error handling (pkg/oidc/error.go) and fixed some wrong OAuth errors (e.g. `invalid_grant` instead of `invalid_request`)
- improved MarshalJSON and added MarshalJSONWithStatus
- removed deprecated PEM decryption from `BytesToPrivateKey`  [source diff](https://github.com/caos/oidc/pull/130/files#diff-fe246e428e399ccff599627c71764de51387b60b4df84c67de3febd0954e859bL11-L19)
- NewAccessTokenVerifier now uses correct (internal) `accessTokenVerifier` [source diff](https://github.com/caos/oidc/pull/130/files#diff-3a01c7500ead8f35448456ef231c7c22f8d291710936cac91de5edeef52ffc72L52-R52)

BREAKING CHANGE:
- move functions from `utils` package into separate packages
- added various methods to the (OP) `Configuration` interface [source diff](https://github.com/caos/oidc/pull/130/files#diff-2538e0dfc772fdc37f057aecd6fcc2943f516c24e8be794cce0e368a26d20a82R19-R32)
- added revocationEndpoint to `WithCustomEndpoints ` [source diff](https://github.com/caos/oidc/pull/130/files#diff-19ae13a743eb7cebbb96492798b1bec556673eb6236b1387e38d722900bae1c3L355-R391)
- remove unnecessary context parameter from JWTProfileExchange [source diff](https://github.com/caos/oidc/pull/130/files#diff-4ed8f6affa4a9631fa8a034b3d5752fbb6a819107141aae00029014e950f7b4cL14)
 2021-11-02 13:21:35 +01:00