Finally the RFC Best Current Practice for OAuth 2.0 Security has been approved.
According to the RFC:
> Authorization servers MUST support PKCE [RFC7636].
>
> If a client sends a valid PKCE code_challenge parameter in the authorization request, the authorization server MUST enforce the correct usage of code_verifier at the token endpoint.
Isn’t it time we strengthen PKCE support a bit more?
This PR updates the logic so that PKCE is always verified, even when the Auth Method is not "none".
* feat(op): split the access and ID token hint verifiers
In zitadel we require different behaviors wrt public key expiry between access tokens and ID token hints.
This change splits the two verifiers in the OP.
The default is still based on Storage and passed to both verifier fields.
* add new options to tests
* first draft of a new server interface
* allow any response type
* complete interface docs
* refelct the format from the proposal
* intermediate commit with some methods implemented
* implement remaining token grant type methods
* implement remaining server methods
* error handling
* rewrite auth request validation
* define handlers, routes
* input validation and concrete handlers
* check if client credential client is authenticated
* copy and modify the routes test for the legacy server
* run integration tests against both Server and Provider
* remove unuse ValidateAuthRequestV2 function
* unit tests for error handling
* cleanup tokenHandler
* move server routest test
* unit test authorize
* handle client credentials in VerifyClient
* change code exchange route test
* finish http unit tests
* review server interface docs and spelling
* add withClient unit test
* server options
* cleanup unused GrantType method
* resolve typo comments
* make endpoints pointers to enable/disable them
* jwt profile base work
* jwt: correct the test expect
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
* feat(op): user slog for logging
integrate with golang.org/x/exp/slog for logging.
provide a middleware for request scoped logging.
BREAKING CHANGES:
1. OpenIDProvider and sub-interfaces get a Logger()
method to return the configured logger;
2. AuthRequestError now takes the complete Authorizer,
instead of only the encoder. So that it may use its Logger() method.
3. RequestError now takes a Logger as argument.
* use zitadel/logging
* finish op and testing
without middleware for now
* minimum go version 1.19
* update go mod
* log value testing only on go 1.20 or later
* finish the RP and example
* ping logging release
* feat: get issuer from context for device auth
* use distinct UserFormURL and UserFormPath
- Properly deprecate UserFormURL and default to old behaviour,
to prevent breaking change.
- Refactor unit tests to test both cases.
* update example
