cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
280 commits 8 branches 227 tags 3.4 MiB
Commit graph

280 commits

This branch
This branch
All branches
Author SHA1 Message Date
Livio Amstutz
a27ba09872
feat(op): dynamic issuer depending on request / host 
BREAKING CHANGE: The OpenID Provider package is now able to handle multiple issuers with a single storage implementation. The issuer will be selected from the host of the request and passed into the context, where every function can read it from if necessary. This results in some fundamental changes:
 - `Configuration` interface:
   - `Issuer() string` has been changed to `IssuerFromRequest(r *http.Request) string`
   - `Insecure() bool` has been added
 - OpenIDProvider interface and dependants:
   - `Issuer` has been removed from Config struct
   - `NewOpenIDProvider` now takes an additional parameter `issuer` and returns a pointer to the public/default implementation and not an OpenIDProvider interface:
     `NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opOpts ...Option) (OpenIDProvider, error)` changed to `NewOpenIDProvider(ctx context.Context, issuer string, config *Config, storage Storage, opOpts ...Option) (*Provider, error)`
   - therefore the parameter type Option changed to the public type as well: `Option func(o *Provider) error`
   - `AuthCallbackURL(o OpenIDProvider) func(string) string` has been changed to `AuthCallbackURL(o OpenIDProvider) func(context.Context, string) string`
   - `IDTokenHintVerifier() IDTokenHintVerifier` (Authorizer, OpenIDProvider, SessionEnder interfaces), `AccessTokenVerifier() AccessTokenVerifier` (Introspector, OpenIDProvider, Revoker, UserinfoProvider interfaces) and `JWTProfileVerifier() JWTProfileVerifier` (IntrospectorJWTProfile, JWTAuthorizationGrantExchanger, OpenIDProvider, RevokerJWTProfile interfaces) now take a context.Context parameter `IDTokenHintVerifier(context.Context) IDTokenHintVerifier`, `AccessTokenVerifier(context.Context) AccessTokenVerifier` and `JWTProfileVerifier(context.Context) JWTProfileVerifier`
   - `OidcDevMode` (CAOS_OIDC_DEV) environment variable check has been removed, use `WithAllowInsecure()` Option
 - Signing: the signer is not kept in memory anymore, but created on request from the loaded key:
   - `Signer` interface and func `NewSigner` have been removed
   - `ReadySigner(s Signer) ProbesFn` has been removed
   - `CreateDiscoveryConfig(c Configuration, s Signer) *oidc.DiscoveryConfiguration` has been changed to `CreateDiscoveryConfig(r *http.Request, config Configuration, storage DiscoverStorage) *oidc.DiscoveryConfiguration`
   - `Storage` interface:
     - `GetSigningKey(context.Context, chan<- jose.SigningKey)` has been changed to `SigningKey(context.Context) (SigningKey, error)`
     - `KeySet(context.Context) ([]Key, error)` has been added
     - `GetKeySet(context.Context) (*jose.JSONWebKeySet, error)` has been changed to `KeySet(context.Context) ([]Key, error)`
   - `SigAlgorithms(s Signer) []string` has been changed to `SigAlgorithms(ctx context.Context, storage DiscoverStorage) []string`
   - KeyProvider interface: `GetKeySet(context.Context) (*jose.JSONWebKeySet, error)` has been changed to `KeySet(context.Context) ([]Key, error)`
   - `CreateIDToken`: the Signer parameter has been removed
 2022-04-22 14:23:29 +02:00
Livio Amstutz
885fe0d45c
docs(example): implement OpenID Provider (#165) 
* chore(example): implement OpenID Provider

* jwt profile and fixes

* some comments

* remove old op example

* fix code flow example

* add service user and update readme

* fix password for example use

* ignore example and mock folders for code coverage

* Update example/server/internal/storage.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update client.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>
 2022-04-21 17:54:00 +02:00
Livio Amstutz
c195452bb0
feat(rp): provide key by data (not only path) for jwt profile (#168) 2022-04-14 10:10:56 +02:00
dependabot[bot]
478795ad79
chore(deps): bump actions/setup-go from 2 to 3 (#170) 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2 to 3.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-04-12 08:00:56 +02:00
dependabot[bot]
fd416ce413
chore(deps): bump codecov/codecov-action from 2.1.0 to 3.0.0 (#171) 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 2.1.0 to 3.0.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v2.1.0...v3.0.0)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-04-12 08:00:40 +02:00
Livio Amstutz
0dd79cb6f9
chore(build): add go 1.18 to matrix build (#166) 
* chore(build): add go 1.18 to matrix build

* add 1.18

* Update README.md

* Update release.yml
 2022-03-22 07:26:00 +01:00
dependabot[bot]
d740fe1710
chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#163) 
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.7.0 to 1.7.1.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.7.0...v1.7.1)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-16 11:18:08 +01:00
dependabot[bot]
ab76b3518f
chore(deps): bump github.com/caos/logging from 0.0.2 to 0.3.1 (#159) 
* chore(deps): bump github.com/caos/logging from 0.0.2 to 0.3.1

Bumps [github.com/caos/logging](https://github.com/caos/logging) from 0.0.2 to 0.3.1.
- [Release notes](https://github.com/caos/logging/releases)
- [Changelog](https://github.com/caos/logging/blob/master/.releaserc.js)
- [Commits](https://github.com/caos/logging/compare/v0.0.2...v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/caos/logging
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update logging

* update logging

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
 2022-03-16 11:14:57 +01:00
Livio Amstutz
c07557be02
feat: build the redirect after a successful login with AuthCallbackURL function (#164) 2022-03-16 10:55:29 +01:00
dependabot[bot]
b914990e15
chore(deps): bump actions/checkout from 2 to 3 (#161) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2022-03-08 06:59:53 +01:00
Silvan
1b81a2e890
Merge pull request #151 from caos/sign-concurrency 2022-03-01 10:07:30 +01:00
Ydris Rebibane
5601add628
feat: Allow the use of a custom discovery endpoint (#152) 
* Allow the use of custom endpoints

* Remove the custom constrtouctor and replace with an optional argument to override the discovery endpoit
 2022-02-16 09:14:54 +01:00
Livio Amstutz
e39146c98e fix: ensure signer has key on OP creation 2022-01-31 07:27:52 +01:00
Fabi
219ba4e038
Merge pull request #150 from caos/key-selection 
fix: handle keys without `use` in FindMatchingKey
 2022-01-28 09:53:29 +01:00
Livio Amstutz
7ea5ddf250 add missing import 2022-01-28 09:48:37 +01:00
Livio Amstutz
bcd9ec8d85 fix: handle keys without use in FindMatchingKey 2022-01-28 09:42:42 +01:00
Rohinish
f103b56e95
docs(readme): corrected terminology 2022-01-22 19:20:58 +01:00
Livio Amstutz
eb10752e48
feat: Token Revocation, Request Object and OP Certification (#130) 
FEATURES (and FIXES):
- support OAuth 2.0 Token Revocation [RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)
- handle request object using `request` parameter [OIDC Core 1.0 Request Object](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject)
- handle response mode
- added some information to the discovery endpoint:
  - revocation_endpoint (added with token revocation) 
  - revocation_endpoint_auth_methods_supported (added with token revocation)
  - revocation_endpoint_auth_signing_alg_values_supported (added with token revocation)
  - token_endpoint_auth_signing_alg_values_supported (was missing)
  - introspection_endpoint_auth_signing_alg_values_supported (was missing)
  - request_object_signing_alg_values_supported (added with request object)
  - request_parameter_supported (added with request object)
 - fixed `removeUserinfoScopes ` now returns the scopes without "userinfo" scopes (profile, email, phone, addedd) [source diff](https://github.com/caos/oidc/pull/130/files#diff-fad50c8c0f065d4dbc49d6c6a38f09c992c8f5d651a479ba00e31b500543559eL170-R171)
- improved error handling (pkg/oidc/error.go) and fixed some wrong OAuth errors (e.g. `invalid_grant` instead of `invalid_request`)
- improved MarshalJSON and added MarshalJSONWithStatus
- removed deprecated PEM decryption from `BytesToPrivateKey`  [source diff](https://github.com/caos/oidc/pull/130/files#diff-fe246e428e399ccff599627c71764de51387b60b4df84c67de3febd0954e859bL11-L19)
- NewAccessTokenVerifier now uses correct (internal) `accessTokenVerifier` [source diff](https://github.com/caos/oidc/pull/130/files#diff-3a01c7500ead8f35448456ef231c7c22f8d291710936cac91de5edeef52ffc72L52-R52)

BREAKING CHANGE:
- move functions from `utils` package into separate packages
- added various methods to the (OP) `Configuration` interface [source diff](https://github.com/caos/oidc/pull/130/files#diff-2538e0dfc772fdc37f057aecd6fcc2943f516c24e8be794cce0e368a26d20a82R19-R32)
- added revocationEndpoint to `WithCustomEndpoints ` [source diff](https://github.com/caos/oidc/pull/130/files#diff-19ae13a743eb7cebbb96492798b1bec556673eb6236b1387e38d722900bae1c3L355-R391)
- remove unnecessary context parameter from JWTProfileExchange [source diff](https://github.com/caos/oidc/pull/130/files#diff-4ed8f6affa4a9631fa8a034b3d5752fbb6a819107141aae00029014e950f7b4cL14)
 2021-11-02 13:21:35 +01:00
Witold Konior
763d3334e7
feat: Enable parsing email_verified from string. (#139) 
* Enable parsing email_verified from string.

AWS Cognito will return email_verified from /userinfo endpoint as string.
This fix will accept proper boolean values as well as string values.

Links for reference:
https://forums.aws.amazon.com/thread.jspa?messageID=949441&#949441
https://discuss.elastic.co/t/openid-error-after-authenticating-against-aws-cognito/206018/11

* feat: Enable parsing email_verified from string.
 2021-11-02 09:14:33 +01:00
陈杨文
c45f03e144
fix: allowed ConcatenateJSON with empty input (#138) 2021-10-28 07:06:34 +02:00
Livio Amstutz
55ec7d9dd2
docs: remove implicit and hybrid flow from supported RP features in readme (#136) 
* docs: remove implicit flow from supported features in readme

* docs: remove implicit flow from supported features in readme

Co-authored-by: Florian Forster <florian@caos.ch>

Co-authored-by: Florian Forster <florian@caos.ch>
 2021-10-26 09:15:02 +02:00
jmillerv
292188ba30
docs: fix readme typos (#134) 2021-10-10 19:30:24 +00:00
Livio Amstutz
eb38b7aa60
chore: build on fork PRs (#133) 2021-10-08 08:23:53 +02:00
陈杨文
ff2c164057
fix: improve example & fix userinfo marshal (#132) 
* fix: example client should track state, call cli.CodeFlow need context

* fix: oidc userinfo can UnmarshalJSON with address

* rp Discover use client.Discover

* add instruction for example to README.md
 2021-10-08 08:20:45 +02:00
Livio Amstutz
a63fbee93d
fix: improve JWS and key verification (#128) 
* fix: improve JWS and key verification

* fix: get remote keys if no cached key matches

* fix: get remote keys if no cached key matches

* fix exactMatch

* fix exactMatch

* chore: change default branch name in .releaserc.js
 2021-09-14 15:13:44 +02:00
Livio Amstutz
2b5b436c41
Merge pull request #127 from caos/dependabot/github_actions/codecov/codecov-action-2.1.0 
chore(deps): bump codecov/codecov-action from 2.0.3 to 2.1.0
 2021-09-14 07:18:37 +02:00
dependabot[bot]
391b603cce
chore(deps): bump codecov/codecov-action from 2.0.3 to 2.1.0 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 2.0.3 to 2.1.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v2.0.3...v2.1.0)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-09-13 19:01:38 +00:00
Livio Amstutz
fcad98f4bd
fix: make pkce code_verifier spec compliant #125 
fix: make pkce code_verifier spec compliant #125
 2021-09-13 14:52:07 +02:00
Timo Volkmann
99812e0b8e
pkce: encode code verifier with base64 without padding 
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
 2021-09-13 13:56:38 +02:00
Timo Volkmann
af3a497b6d fix: make pkce code_verifier spec compliant #125 
follow recommendations for code_verifier: https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
 2021-09-09 14:33:59 +02:00
Livio Amstutz
3574b211c8
Merge pull request #121 from caos/dependabot/github_actions/codecov/codecov-action-2.0.3 
chore(deps): bump codecov/codecov-action from 2.0.2 to 2.0.3
 2021-09-03 07:19:18 +02:00
dependabot[bot]
353bee9ebe
chore(deps): bump codecov/codecov-action from 2.0.2 to 2.0.3 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 2.0.2 to 2.0.3.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v2.0.2...v2.0.3)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-09-03 05:18:02 +00:00
Livio Amstutz
3ed3fa5c0a
chore: fix sem rel configuration 2021-08-27 15:40:31 +02:00
Livio Amstutz
1bd04e9f36
Merge pull request #117 from caos/workflow 
chore: start improving external contribution
 2021-08-27 15:36:51 +02:00
Livio Amstutz
1a2cc86f3c chore: change default branch name in .releaserc.js 2021-08-27 15:31:54 +02:00
Livio Amstutz
a3e5d6ba96 chore: add CONTRIBUTING.md 2021-08-27 15:26:41 +02:00
Livio Amstutz
d009df3567 chore: add issue templates 2021-08-27 15:24:24 +02:00
Livio Amstutz
87061e0123 chore: add 1.17 to matrix build 2021-08-27 14:57:48 +02:00
Livio Amstutz
b188b2e10e
Merge pull request #114 from caos/dependabot/go_modules/golang.org/x/text-0.3.7 
chore(deps): bump golang.org/x/text from 0.3.6 to 0.3.7
 2021-08-27 14:55:19 +02:00
Livio Amstutz
9aa0989dc1 chore: enable workflow on PR from forks 2021-08-27 14:32:41 +02:00
Livio Amstutz
86613007d0
fix: Ease dev host name constraints 
fix: Ease dev host name constraints
 2021-08-27 14:30:36 +02:00
Beardo Moore
581885afb1
task: Ease dev host name constraints 
This changes the requirements for a issuer hostname to allow anything
that is `http`. The reason for this is because the user of the library
already has to make a conscious decision to set `CAOS_OIDC_DEV` so they
should already understand the risks of not using `https`. The primary
motivation for this change is to allow IdPs to be created in a
containerized integration test environment. Specifically setting up a
docker compose file that starts all parts of the system with a test IdP
using this library where the DNS name will not be `localhost`.
 2021-08-26 20:32:51 +00:00
dependabot[bot]
5c9565c035
chore(deps): bump golang.org/x/text from 0.3.6 to 0.3.7 
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.3.6 to 0.3.7.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.3.6...v0.3.7)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-08-11 04:03:42 +00:00
dependabot[bot]
84b2ecc60e
chore(deps): bump github.com/google/uuid from 1.2.0 to 1.3.0 (#108) 
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/google/uuid/releases)
- [Commits](https://github.com/google/uuid/compare/v1.2.0...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/google/uuid
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-08-09 09:29:40 +02:00
dependabot[bot]
bd2d17b3f3
chore(deps): bump codecov/codecov-action from 1 to 2.0.2 (#111) 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 1 to 2.0.2.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/master/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v1...v2.0.2)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2021-08-09 09:28:50 +02:00
Florian Forster
3a37300e7a
docs: certification comment (#113) 2021-08-03 17:00:24 +02:00
Florian Forster
3a21b04459
chore: code of conduct (#112) 2021-08-03 16:52:16 +02:00
Livio Amstutz
1132c9d93d
fix: removeUserinfoScopes return new slice (without manipulating passed one) (#110) 2021-07-21 08:27:38 +02:00
Livio Amstutz
8a35b89815
fix: supported ui locales from config (#107) 2021-07-09 09:20:03 +02:00
Fabi
1392c0ee9a
Merge pull request #106 from caos/jwt-profile-storage 
fix: custom claims and sub for jwt profile
 2021-07-07 08:33:14 +02:00