* Add configurable CORS policy in OpenIDProvider
* Add configurable CORS policy to Server
* remove duplicated CORS middleware
* Allow nil CORS policy to be set to disable CORS middleware
* create a separate handler on webServer so type assertion works in tests
As introspection is a Oauth mechanism for resource servers only,
it does not make sense to get an oidc client by ID.
The original OP did not do this and now we make the server behavior similar.
This PR replaces all occurances of interface{} with any to be consistent and improve readability.
* example: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/client: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/crypto: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/http: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/oidc: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/op: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
---------
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* first draft of a new server interface
* allow any response type
* complete interface docs
* refelct the format from the proposal
* intermediate commit with some methods implemented
* implement remaining token grant type methods
* implement remaining server methods
* error handling
* rewrite auth request validation
* define handlers, routes
* input validation and concrete handlers
* check if client credential client is authenticated
* copy and modify the routes test for the legacy server
* run integration tests against both Server and Provider
* remove unuse ValidateAuthRequestV2 function
* unit tests for error handling
* cleanup tokenHandler
* move server routest test
* unit test authorize
* handle client credentials in VerifyClient
* change code exchange route test
* finish http unit tests
* review server interface docs and spelling
* add withClient unit test
* server options
* cleanup unused GrantType method
* resolve typo comments
* make endpoints pointers to enable/disable them
* jwt profile base work
* jwt: correct the test expect
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
* feat(op): user slog for logging
integrate with golang.org/x/exp/slog for logging.
provide a middleware for request scoped logging.
BREAKING CHANGES:
1. OpenIDProvider and sub-interfaces get a Logger()
method to return the configured logger;
2. AuthRequestError now takes the complete Authorizer,
instead of only the encoder. So that it may use its Logger() method.
3. RequestError now takes a Logger as argument.
* use zitadel/logging
* finish op and testing
without middleware for now
* minimum go version 1.19
* update go mod
* log value testing only on go 1.20 or later
* finish the RP and example
* ping logging release
* chore(op): reproduce issue #415
* fix(op): omit empty state from code flow redirect
Add test cases to reproduce the original bug, and it's resolution.
closes#415
BREAKING CHANGE, removes methods from DeviceAuthorizationStorage:
- GetDeviceAuthorizationByUserCode
- CompleteDeviceAuthorization
- DenyDeviceAuthorization
The methods are now moved to examples as something similar can be
userful for implementers.
* feat: get issuer from context for device auth
* use distinct UserFormURL and UserFormPath
- Properly deprecate UserFormURL and default to old behaviour,
to prevent breaking change.
- Refactor unit tests to test both cases.
* update example
When ParseAuthorizeRequest received an invalid URL,
for example containing a semi-colon `;`,
AuthRequestError used to panic.
This was because a typed nil was passed as a interface argument.
The nil check inside AuthRequestError always resulted in false,
allowing access through the nil pointer.
Fixes#315
* op: correct typo
rename checkURIAginstRedirects to checkURIAgainstRedirects
* chore: document standard deviation when using globs
add example on how to toggle the underlying
client implementation based on DevMode.
---------
Co-authored-by: David Sharnoff <dsharnoff@singlestore.com>
BREAKING CHANGE:
- The various verifier types are merged into a oidc.Verifir.
- oidc.Verfier became a struct with exported fields
* use type aliases for oidc.Verifier
this binds the correct contstructor to each verifier usecase.
* fix: handle the zero cases for oidc.Time
* add unit tests to oidc verifier
* fix: correct returned field for JWTTokenRequest
JWTTokenRequest.GetIssuedAt() was returning the ExpiresAt field.
This change corrects that by returning IssuedAt instead.
* oidc: add regression tests for token claim json
this helps to verify that the same JSON is produced,
after these types are refactored.
* refactor: use struct types for claim related types
BREAKING CHANGE:
The following types are changed from interface to struct type:
- AccessTokenClaims
- IDTokenClaims
- IntrospectionResponse
- UserInfo and related types.
The following methods of OPStorage now take a pointer to a struct type,
instead of an interface:
- SetUserinfoFromScopes
- SetUserinfoFromToken
- SetIntrospectionFromToken
The following functions are now generic, so that type-safe extension
of Claims is now possible:
- op.VerifyIDTokenHint
- op.VerifyAccessToken
- rp.VerifyTokens
- rp.VerifyIDToken
- Changed UserInfoAddress to pointer in UserInfo and
IntrospectionResponse.
This was needed to make omitempty work correctly.
- Copy or merge maps in IntrospectionResponse and SetUserInfo
* op: add example for VerifyAccessToken
* fix: rp: wrong assignment in WithIssuedAtMaxAge
WithIssuedAtMaxAge assigned its value to v.maxAge, which was wrong.
This change fixes that by assiging the duration to v.maxAgeIAT.
* rp: add VerifyTokens example
* oidc: add standard references to:
- IDTokenClaims
- IntrospectionResponse
- UserInfo
* only count coverage for `./pkg/...`
BREAKING CHANGE:
- op.NewOpenIDProvider
- op.NewDynamicOpenIDProvider
The call chain of above functions did not use the context anywhere.
This change removes the context from those fucntion arguments.
This change implements OAuth2 Token Exchange in OP according to RFC 8693 (and client code)
Some implementation details:
- OP parses and verifies subject/actor tokens natively if they were issued by OP
- Third-party tokens verification is also possible by implementing additional storage interface
- Token exchange can issue only OP's native tokens (id_token, access_token and refresh_token) with static issuer
