* fix(oidc): ignore unknown language tag in userinfo unmarshal
Open system reported an issue where a generic OpenID provider might return language tags like "gb".
These tags are well-formed but unknown and Go returns an error for it.
We already ignored unknown tags is ui_locale arrays lik in AuthRequest.
This change ignores singular unknown tags, like used in the userinfo `locale` claim.
* do not set nil to Locale field
* Add configurable CORS policy in OpenIDProvider
* Add configurable CORS policy to Server
* remove duplicated CORS middleware
* Allow nil CORS policy to be set to disable CORS middleware
* create a separate handler on webServer so type assertion works in tests
As introspection is a Oauth mechanism for resource servers only,
it does not make sense to get an oidc client by ID.
The original OP did not do this and now we make the server behavior similar.
This PR replaces all occurances of interface{} with any to be consistent and improve readability.
* example: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/client: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/crypto: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/http: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/oidc: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/op: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
---------
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* first draft of a new server interface
* allow any response type
* complete interface docs
* refelct the format from the proposal
* intermediate commit with some methods implemented
* implement remaining token grant type methods
* implement remaining server methods
* error handling
* rewrite auth request validation
* define handlers, routes
* input validation and concrete handlers
* check if client credential client is authenticated
* copy and modify the routes test for the legacy server
* run integration tests against both Server and Provider
* remove unuse ValidateAuthRequestV2 function
* unit tests for error handling
* cleanup tokenHandler
* move server routest test
* unit test authorize
* handle client credentials in VerifyClient
* change code exchange route test
* finish http unit tests
* review server interface docs and spelling
* add withClient unit test
* server options
* cleanup unused GrantType method
* resolve typo comments
* make endpoints pointers to enable/disable them
* jwt profile base work
* jwt: correct the test expect
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
* feat(op): user slog for logging
integrate with golang.org/x/exp/slog for logging.
provide a middleware for request scoped logging.
BREAKING CHANGES:
1. OpenIDProvider and sub-interfaces get a Logger()
method to return the configured logger;
2. AuthRequestError now takes the complete Authorizer,
instead of only the encoder. So that it may use its Logger() method.
3. RequestError now takes a Logger as argument.
* use zitadel/logging
* finish op and testing
without middleware for now
* minimum go version 1.19
* update go mod
* log value testing only on go 1.20 or later
* finish the RP and example
* ping logging release
* chore(op): reproduce issue #415
* fix(op): omit empty state from code flow redirect
Add test cases to reproduce the original bug, and it's resolution.
closes#415
BREAKING CHANGE:
- rename RefreshAccessToken to RefreshToken
- RefreshToken returns *oidc.Tokens instead of *oauth2.Token
This change allows the return of the id_token in an explicit manner,
as part of the oidc.Tokens struct.
The return type is now consistent with the CodeExchange function.
When an id_token is returned, it is verified.
In case no id_token was received,
RefreshTokens will not return an error.
As per specifictation:
https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
Upon successful validation of the Refresh Token,
the response body is the Token Response of Section 3.1.3.3
except that it might not contain an id_token.
Closes#364
* reproduce #406
* fix: don't error on invalid i18n tags in discovery
This changes the use of `[]language.Tag` to
`oidc.Locales` in `DiscoveryConfig`.
This should be compatible with callers that use
the `[]language.Tag` .
Locales now implements the `json.Unmarshaler` interface.
With support for json arrays or space seperated strings.
The latter because `UnmarshalText` might have been implicetely called
by the json library before we added UnmarshalJSON.
Fixes: #406
BREAKING CHANGE, removes methods from DeviceAuthorizationStorage:
- GetDeviceAuthorizationByUserCode
- CompleteDeviceAuthorization
- DenyDeviceAuthorization
The methods are now moved to examples as something similar can be
userful for implementers.
This fixes an issue where, when using the device authorization flow, the
grant type would be set twice. Some OPs don't accept this, and fail when
polling.
With this fix the grant type is only set once, which will make some OPs
happy again.
Fixes#352
* feat: get issuer from context for device auth
* use distinct UserFormURL and UserFormPath
- Properly deprecate UserFormURL and default to old behaviour,
to prevent breaking change.
- Refactor unit tests to test both cases.
* update example
