cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
489 commits 8 branches 227 tags 3.4 MiB
Commit graph

489 commits

This branch
This branch
All branches
Author SHA1 Message Date
Tim Möhlmann
ef9477cac0
chore: v2 maintenance releases (#459) 2023-10-24 08:29:40 +02:00
mffap
9c0696306f
docs: update security policy (#464) 2023-10-23 17:16:48 +03:00
Tim Möhlmann
434b2e62d8
chore(op): upgrade go-chi/chi to v5 (#462) 2023-10-16 11:02:56 +02:00
Tim Möhlmann
0dc2a6e7a1
fix(op): return state in token response only for implicit flow (#460) 
* fix(op): return state in token response only for implicit flow

* oops
 2023-10-13 12:17:03 +00:00
Tim Möhlmann
976b40620c
Merge pull request #456 from zitadel/next-main 
Merge next into main in order to release v3. Merge conflicts were handled in an intermediate branch.

BREAKING CHANGE - Just making sure v3 release is triggered.
 2023-10-13 08:44:41 +03:00
Tim Möhlmann
d9487ef77d Merge branch 'next' into next-main 2023-10-12 16:07:49 +03:00
dependabot[bot]
bb115d8f6a
chore(deps): bump golang.org/x/oauth2 from 0.12.0 to 0.13.0 (#454) 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.12.0 to 0.13.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.12.0...v0.13.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-12 12:44:59 +03:00
dependabot[bot]
1291bf6881
chore(deps): bump github.com/rs/cors from 1.10.0 to 1.10.1 (#451) 
Bumps [github.com/rs/cors](https://github.com/rs/cors) from 1.10.0 to 1.10.1.
- [Release notes](https://github.com/rs/cors/releases)
- [Commits](https://github.com/rs/cors/compare/v1.10.0...v1.10.1)

---
updated-dependencies:
- dependency-name: github.com/rs/cors
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-12 12:41:50 +03:00
Thomas Hipp
e6e3835362
chore: replace interface{} with any (#448) 
This PR replaces all occurances of interface{} with any to be consistent and improve readability.

* example: Replace `interface{}` with `any`

Signed-off-by: Thomas Hipp <thomashipp@gmail.com>

* pkg/client: Replace `interface{}` with `any`

Signed-off-by: Thomas Hipp <thomashipp@gmail.com>

* pkg/crypto: Replace `interface{}` with `any`

Signed-off-by: Thomas Hipp <thomashipp@gmail.com>

* pkg/http: Replace `interface{}` with `any`

Signed-off-by: Thomas Hipp <thomashipp@gmail.com>

* pkg/oidc: Replace `interface{}` with `any`

Signed-off-by: Thomas Hipp <thomashipp@gmail.com>

* pkg/op: Replace `interface{}` with `any`

Signed-off-by: Thomas Hipp <thomashipp@gmail.com>

---------

Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
 2023-10-12 12:41:04 +03:00
dependabot[bot]
ceaf2b184d
chore(deps): bump go.opentelemetry.io/otel/trace from 1.18.0 to 1.19.0 (#449) 
Bumps [go.opentelemetry.io/otel/trace](https://github.com/open-telemetry/opentelemetry-go) from 1.18.0 to 1.19.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.18.0...v1.19.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/trace
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-12 11:55:35 +03:00
dependabot[bot]
8488cb054b
chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#455) 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.15.0 to 0.17.0.
- [Commits](https://github.com/golang/net/compare/v0.15.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-10-12 07:56:52 +02:00
Tim Möhlmann
0f8a0585bf
feat(op): Server interface (#447) 
* first draft of a new server interface

* allow any response type

* complete interface docs

* refelct the format from the proposal

* intermediate commit with some methods implemented

* implement remaining token grant type methods

* implement remaining server methods

* error handling

* rewrite auth request validation

* define handlers, routes

* input validation and concrete handlers

* check if client credential client is authenticated

* copy and modify the routes test for the legacy server

* run integration tests against both Server and Provider

* remove unuse ValidateAuthRequestV2 function

* unit tests for error handling

* cleanup tokenHandler

* move server routest test

* unit test authorize

* handle client credentials in VerifyClient

* change code exchange route test

* finish http unit tests

* review server interface docs and spelling

* add withClient unit test

* server options

* cleanup unused GrantType method

* resolve typo comments

* make endpoints pointers to enable/disable them

* jwt profile base work

* jwt: correct the test expect

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
 2023-09-28 17:30:08 +03:00
dependabot[bot]
47cd8f376d
chore(deps): bump go.opentelemetry.io/otel from 1.17.0 to 1.18.0 (#445) 
Bumps [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) from 1.17.0 to 1.18.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.17.0...v1.18.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-14 16:12:20 +03:00
Tim Möhlmann
364a7591d6
feat: issuer from Forwarded header (#443) 2023-09-07 15:25:39 +03:00
dependabot[bot]
607a76c154
chore(deps): bump golang.org/x/oauth2 from 0.11.0 to 0.12.0 (#441) 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.11.0 to 0.12.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.11.0...v0.12.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-06 14:53:08 +03:00
dependabot[bot]
61f1925f51
chore(deps): bump github.com/rs/cors from 1.9.0 to 1.10.0 (#442) 
Bumps [github.com/rs/cors](https://github.com/rs/cors) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/rs/cors/releases)
- [Commits](https://github.com/rs/cors/compare/v1.9.0...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/rs/cors
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-06 14:52:18 +03:00
dependabot[bot]
0bc75d86ff
chore(deps): bump cycjimmy/semantic-release-action from 3 to 4 (#438) 
Bumps [cycjimmy/semantic-release-action](https://github.com/cycjimmy/semantic-release-action) from 3 to 4.
- [Release notes](https://github.com/cycjimmy/semantic-release-action/releases)
- [Changelog](https://github.com/cycjimmy/semantic-release-action/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/cycjimmy/semantic-release-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: cycjimmy/semantic-release-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-05 00:47:21 +03:00
dependabot[bot]
52a7fff314
chore(deps): bump actions/checkout from 3 to 4 (#439) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-09-05 00:46:36 +03:00
Tim Möhlmann
daf82a5e04
chore(deps): migrage jose to go-jose/v3 (#433) 
closes #390
 2023-09-01 14:33:16 +03:00
Tim Möhlmann
1683b319ae
feat(op): add opentelemetry to token endpoint (#436) 
* feat(op): add opentelemetry to token endpoint

* drop go 1.18, add 1.21, do not fail fast
 2023-09-01 10:53:14 +02:00
David Sharnoff
5ade1cd9de
feat: add typ:JWT header to tokens (#435) 2023-08-31 12:47:17 +03:00
Tim Möhlmann
0879c88399
feat: add slog logging (#432) 
* feat(op): user slog for logging

integrate with golang.org/x/exp/slog for logging.
provide a middleware for request scoped logging.

BREAKING CHANGES:

1. OpenIDProvider and sub-interfaces get a Logger()
method to return the configured logger;
2. AuthRequestError now takes the complete Authorizer,
instead of only the encoder. So that it may use its Logger() method.
3. RequestError now takes a Logger as argument.

* use zitadel/logging

* finish op and testing
without middleware for now

* minimum go version 1.19

* update go mod

* log value testing only on go 1.20 or later

* finish the RP and example

* ping logging release
 2023-08-29 14:07:45 +02:00
dependabot[bot]
d7e88060be
chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#431) 
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/google/uuid/releases)
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md)
- [Commits](https://github.com/google/uuid/compare/v1.3.0...v1.3.1)

---
updated-dependencies:
- dependency-name: github.com/google/uuid
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-08-23 18:29:03 +02:00
Tim Möhlmann
ce85a8b820
fix(exampleop): pass the issuer interceptor to login (#430) 
* fix(exampleop): pass the issuer interceptor to login

* undo example testing changes
 2023-08-21 07:44:33 +02:00
Tim Möhlmann
4ed269979e
fix(op): check if getTokenIDAndClaims succeeded (#429) 
When getTokenIDAndClaims didn't succeed,
so `ok` would be false.
This was ignored and the accessTokenClaims.Claims call would panic.
 2023-08-18 17:54:58 +02:00
Tim Möhlmann
37b5de0e82
fix(op): omit empty state from code flow redirect (#428) 
* chore(op): reproduce issue #415

* fix(op): omit empty state from code flow redirect

Add test cases to reproduce the original bug, and it's resolution.

closes #415
 2023-08-18 15:03:51 +02:00
Tim Möhlmann
6708ef4c24
feat(rp): return oidc.Tokens on token refresh (#423) 
BREAKING CHANGE:
- rename RefreshAccessToken to RefreshToken
- RefreshToken returns *oidc.Tokens instead of *oauth2.Token

This change allows the return of the id_token in an explicit manner,
as part of the oidc.Tokens struct.
The return type is now consistent with the CodeExchange function.

When an id_token is returned, it is verified.
In case no id_token was received,
RefreshTokens will not return an error.

As per specifictation:
https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse

Upon successful validation of the Refresh Token,
the response body is the Token Response of Section 3.1.3.3
except that it might not contain an id_token.

Closes #364
 2023-08-18 14:36:39 +02:00
Diego Parisi
45582b6ee9
feat: delete PKCE cookie after code exchange (#419) 2023-08-14 18:14:24 +03:00
dependabot[bot]
48a5fdb8a6
chore(deps): bump golang.org/x/oauth2 from 0.10.0 to 0.11.0 (#421) 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.10.0 to 0.11.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-08-08 10:03:30 +00:00
dependabot[bot]
9a483321ab
chore(deps): bump golang.org/x/text from 0.11.0 to 0.12.0 (#422) 
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.11.0 to 0.12.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.11.0...v0.12.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-08-08 13:01:43 +03:00
Livio Spring
be89c3b7bc
feat: add CanTerminateSessionFromRequest interface (#418) 
To support access to all claims in the id_token_hint (like a sessionID), this PR adds a new (optional) add-on interface to the Storage.
 2023-07-18 14:15:53 +02:00
dependabot[bot]
4c844da05e
chore(deps): bump golang.org/x/oauth2 from 0.9.0 to 0.10.0 (#417) 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.9.0 to 0.10.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.9.0...v0.10.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-07-06 07:11:36 +00:00
dependabot[bot]
de5f4fbf3a
chore(deps): bump golang.org/x/text from 0.10.0 to 0.11.0 (#416) 
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.10.0 to 0.11.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-07-06 09:09:54 +02:00
Hugo Hromic
406153a4f4
fix(client/rs): do not error when issuer discovery has no introspection endpoint (#414) 
* chore(tests): add basic unit tests for `pkg/client/rs/resource_server.go`
* fix: do not error when issuer discovery has no introspection endpoint
 2023-06-23 09:19:58 +02:00
Fabi
fb891d8281
Merge pull request #402 from zitadel/issue_templates 
docs: issue templates
 2023-06-22 15:30:57 +02:00
Fabi
80c67e4127
Update .github/ISSUE_TEMPLATE/bug_report.yaml 2023-06-21 11:35:05 +02:00
dependabot[bot]
9e624986aa
chore(deps): bump golang.org/x/oauth2 from 0.8.0 to 0.9.0 (#411) 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.8.0 to 0.9.0.
- [Commits](https://github.com/golang/oauth2/compare/v0.8.0...v0.9.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-06-14 13:55:31 +02:00
dependabot[bot]
148ed42cee
chore(deps): bump golang.org/x/text from 0.9.0 to 0.10.0 (#410) 
Bumps [golang.org/x/text](https://github.com/golang/text) from 0.9.0 to 0.10.0.
- [Release notes](https://github.com/golang/text/releases)
- [Commits](https://github.com/golang/text/compare/v0.9.0...v0.10.0)

---
updated-dependencies:
- dependency-name: golang.org/x/text
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-06-13 09:26:49 +02:00
Tim Möhlmann
d01a5c8f91
fix: don't error on invalid i18n tags in discovery (#407) 
* reproduce #406

* fix: don't error on invalid i18n tags in discovery

This changes the use of `[]language.Tag` to
`oidc.Locales` in `DiscoveryConfig`.
This should be compatible with callers that use
the `[]language.Tag` .

Locales now implements the `json.Unmarshaler` interface.
With support for json arrays or space seperated strings.
The latter because `UnmarshalText` might have been implicetely called
by the json library before we added UnmarshalJSON.

Fixes: #406
 2023-06-09 16:31:44 +02:00
dependabot[bot]
77436a2ce7
chore(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#401) 
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.3 to 1.8.4.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.8.3...v1.8.4)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-06-06 12:09:18 +02:00
dependabot[bot]
e577bedd7f
chore(deps): bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#404) 
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-06-06 12:06:53 +02:00
Fabi
e47f749325
Create improvement.yaml 2023-05-31 16:41:24 +02:00
Fabi
f838acb7c3
Update bug_report.yaml 2023-05-31 16:40:25 +02:00
Fabi
3f3429eede
Update proposal.yaml 2023-05-31 16:37:53 +02:00
Fabi
ae2d2f6256
Update proposal.yaml 2023-05-31 14:13:14 +02:00
Fabi
96ff038c67
Update proposal.yaml 2023-05-31 14:12:46 +02:00
Fabi
6607c5a690
Update docs.yaml 2023-05-31 14:12:13 +02:00
Fabi
c3bed1d2ec
Update bug_report.yaml 2023-05-31 14:11:32 +02:00
Fabi
54a071f27b
Update bug_report.yaml 2023-05-31 14:11:14 +02:00
Fabi
96da29a6d1
docs: fix title 2023-05-31 14:09:47 +02:00