Commit graph

179 commits

Author SHA1 Message Date
Livio Amstutz
faca98d28d
feat: add all optional claims of the introspection response 2022-07-22 07:09:57 +02:00
Livio Amstutz
eee4f9b32b
fix query param handling 2022-06-21 07:33:47 +02:00
Livio Amstutz
9472f2a009
fix: encode auth response correctly (when using query in redirect uri) 2022-06-17 13:01:20 +02:00
Livio Amstutz
f345ddd0c5
fix: add state in access token response (implicit flow) 2022-06-17 10:01:20 +02:00
adlerhurst
bb4d854efe fix(module): rename caos to zitadel 2022-04-27 00:28:09 +02:00
Livio Amstutz
7dd0ea5780
update go module version to v2 2022-04-22 16:00:02 +02:00
Livio Amstutz
58e1e53c6b
fix mocks 2022-04-22 15:05:50 +02:00
Livio Amstutz
a27ba09872
feat(op): dynamic issuer depending on request / host
BREAKING CHANGE: The OpenID Provider package is now able to handle multiple issuers with a single storage implementation. The issuer will be selected from the host of the request and passed into the context, where every function can read it from if necessary. This results in some fundamental changes:
 - `Configuration` interface:
   - `Issuer() string` has been changed to `IssuerFromRequest(r *http.Request) string`
   - `Insecure() bool` has been added
 - OpenIDProvider interface and dependants:
   - `Issuer` has been removed from Config struct
   - `NewOpenIDProvider` now takes an additional parameter `issuer` and returns a pointer to the public/default implementation and not an OpenIDProvider interface:
     `NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opOpts ...Option) (OpenIDProvider, error)` changed to `NewOpenIDProvider(ctx context.Context, issuer string, config *Config, storage Storage, opOpts ...Option) (*Provider, error)`
   - therefore the parameter type Option changed to the public type as well: `Option func(o *Provider) error`
   - `AuthCallbackURL(o OpenIDProvider) func(string) string` has been changed to `AuthCallbackURL(o OpenIDProvider) func(context.Context, string) string`
   - `IDTokenHintVerifier() IDTokenHintVerifier` (Authorizer, OpenIDProvider, SessionEnder interfaces), `AccessTokenVerifier() AccessTokenVerifier` (Introspector, OpenIDProvider, Revoker, UserinfoProvider interfaces) and `JWTProfileVerifier() JWTProfileVerifier` (IntrospectorJWTProfile, JWTAuthorizationGrantExchanger, OpenIDProvider, RevokerJWTProfile interfaces) now take a context.Context parameter `IDTokenHintVerifier(context.Context) IDTokenHintVerifier`, `AccessTokenVerifier(context.Context) AccessTokenVerifier` and `JWTProfileVerifier(context.Context) JWTProfileVerifier`
   - `OidcDevMode` (CAOS_OIDC_DEV) environment variable check has been removed, use `WithAllowInsecure()` Option
 - Signing: the signer is not kept in memory anymore, but created on request from the loaded key:
   - `Signer` interface and func `NewSigner` have been removed
   - `ReadySigner(s Signer) ProbesFn` has been removed
   - `CreateDiscoveryConfig(c Configuration, s Signer) *oidc.DiscoveryConfiguration` has been changed to `CreateDiscoveryConfig(r *http.Request, config Configuration, storage DiscoverStorage) *oidc.DiscoveryConfiguration`
   - `Storage` interface:
     - `GetSigningKey(context.Context, chan<- jose.SigningKey)` has been changed to `SigningKey(context.Context) (SigningKey, error)`
     - `KeySet(context.Context) ([]Key, error)` has been added
     - `GetKeySet(context.Context) (*jose.JSONWebKeySet, error)` has been changed to `KeySet(context.Context) ([]Key, error)`
   - `SigAlgorithms(s Signer) []string` has been changed to `SigAlgorithms(ctx context.Context, storage DiscoverStorage) []string`
   - KeyProvider interface: `GetKeySet(context.Context) (*jose.JSONWebKeySet, error)` has been changed to `KeySet(context.Context) ([]Key, error)`
   - `CreateIDToken`: the Signer parameter has been removed
2022-04-22 14:23:29 +02:00
Livio Amstutz
c195452bb0
feat(rp): provide key by data (not only path) for jwt profile (#168) 2022-04-14 10:10:56 +02:00
dependabot[bot]
ab76b3518f
chore(deps): bump github.com/caos/logging from 0.0.2 to 0.3.1 (#159)
* chore(deps): bump github.com/caos/logging from 0.0.2 to 0.3.1

Bumps [github.com/caos/logging](https://github.com/caos/logging) from 0.0.2 to 0.3.1.
- [Release notes](https://github.com/caos/logging/releases)
- [Changelog](https://github.com/caos/logging/blob/master/.releaserc.js)
- [Commits](https://github.com/caos/logging/compare/v0.0.2...v0.3.1)

---
updated-dependencies:
- dependency-name: github.com/caos/logging
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update logging

* update logging

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-03-16 11:14:57 +01:00
Livio Amstutz
c07557be02
feat: build the redirect after a successful login with AuthCallbackURL function (#164) 2022-03-16 10:55:29 +01:00
Silvan
1b81a2e890
Merge pull request #151 from caos/sign-concurrency 2022-03-01 10:07:30 +01:00
Ydris Rebibane
5601add628
feat: Allow the use of a custom discovery endpoint (#152)
* Allow the use of custom endpoints

* Remove the custom constrtouctor and replace with an optional argument to override the discovery endpoit
2022-02-16 09:14:54 +01:00
Livio Amstutz
e39146c98e fix: ensure signer has key on OP creation 2022-01-31 07:27:52 +01:00
Livio Amstutz
7ea5ddf250 add missing import 2022-01-28 09:48:37 +01:00
Livio Amstutz
bcd9ec8d85 fix: handle keys without use in FindMatchingKey 2022-01-28 09:42:42 +01:00
Livio Amstutz
eb10752e48
feat: Token Revocation, Request Object and OP Certification (#130)
FEATURES (and FIXES):
- support OAuth 2.0 Token Revocation [RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009)
- handle request object using `request` parameter [OIDC Core 1.0 Request Object](https://openid.net/specs/openid-connect-core-1_0.html#RequestObject)
- handle response mode
- added some information to the discovery endpoint:
  - revocation_endpoint (added with token revocation) 
  - revocation_endpoint_auth_methods_supported (added with token revocation)
  - revocation_endpoint_auth_signing_alg_values_supported (added with token revocation)
  - token_endpoint_auth_signing_alg_values_supported (was missing)
  - introspection_endpoint_auth_signing_alg_values_supported (was missing)
  - request_object_signing_alg_values_supported (added with request object)
  - request_parameter_supported (added with request object)
 - fixed `removeUserinfoScopes ` now returns the scopes without "userinfo" scopes (profile, email, phone, addedd) [source diff](https://github.com/caos/oidc/pull/130/files#diff-fad50c8c0f065d4dbc49d6c6a38f09c992c8f5d651a479ba00e31b500543559eL170-R171)
- improved error handling (pkg/oidc/error.go) and fixed some wrong OAuth errors (e.g. `invalid_grant` instead of `invalid_request`)
- improved MarshalJSON and added MarshalJSONWithStatus
- removed deprecated PEM decryption from `BytesToPrivateKey`  [source diff](https://github.com/caos/oidc/pull/130/files#diff-fe246e428e399ccff599627c71764de51387b60b4df84c67de3febd0954e859bL11-L19)
- NewAccessTokenVerifier now uses correct (internal) `accessTokenVerifier` [source diff](https://github.com/caos/oidc/pull/130/files#diff-3a01c7500ead8f35448456ef231c7c22f8d291710936cac91de5edeef52ffc72L52-R52)

BREAKING CHANGE:
- move functions from `utils` package into separate packages
- added various methods to the (OP) `Configuration` interface [source diff](https://github.com/caos/oidc/pull/130/files#diff-2538e0dfc772fdc37f057aecd6fcc2943f516c24e8be794cce0e368a26d20a82R19-R32)
- added revocationEndpoint to `WithCustomEndpoints ` [source diff](https://github.com/caos/oidc/pull/130/files#diff-19ae13a743eb7cebbb96492798b1bec556673eb6236b1387e38d722900bae1c3L355-R391)
- remove unnecessary context parameter from JWTProfileExchange [source diff](https://github.com/caos/oidc/pull/130/files#diff-4ed8f6affa4a9631fa8a034b3d5752fbb6a819107141aae00029014e950f7b4cL14)
2021-11-02 13:21:35 +01:00
Witold Konior
763d3334e7
feat: Enable parsing email_verified from string. (#139)
* Enable parsing email_verified from string.

AWS Cognito will return email_verified from /userinfo endpoint as string.
This fix will accept proper boolean values as well as string values.

Links for reference:
https://forums.aws.amazon.com/thread.jspa?messageID=949441&#949441
https://discuss.elastic.co/t/openid-error-after-authenticating-against-aws-cognito/206018/11

* feat: Enable parsing email_verified from string.
2021-11-02 09:14:33 +01:00
陈杨文
c45f03e144
fix: allowed ConcatenateJSON with empty input (#138) 2021-10-28 07:06:34 +02:00
陈杨文
ff2c164057
fix: improve example & fix userinfo marshal (#132)
* fix: example client should track state, call cli.CodeFlow need context

* fix: oidc userinfo can UnmarshalJSON with address

* rp Discover use client.Discover

* add instruction for example to README.md
2021-10-08 08:20:45 +02:00
Livio Amstutz
a63fbee93d
fix: improve JWS and key verification (#128)
* fix: improve JWS and key verification

* fix: get remote keys if no cached key matches

* fix: get remote keys if no cached key matches

* fix exactMatch

* fix exactMatch

* chore: change default branch name in .releaserc.js
2021-09-14 15:13:44 +02:00
Timo Volkmann
99812e0b8e
pkce: encode code verifier with base64 without padding
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2021-09-13 13:56:38 +02:00
Timo Volkmann
af3a497b6d fix: make pkce code_verifier spec compliant #125
follow recommendations for code_verifier: https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
2021-09-09 14:33:59 +02:00
Beardo Moore
581885afb1
task: Ease dev host name constraints
This changes the requirements for a issuer hostname to allow anything
that is `http`. The reason for this is because the user of the library
already has to make a conscious decision to set `CAOS_OIDC_DEV` so they
should already understand the risks of not using `https`. The primary
motivation for this change is to allow IdPs to be created in a
containerized integration test environment. Specifically setting up a
docker compose file that starts all parts of the system with a test IdP
using this library where the DNS name will not be `localhost`.
2021-08-26 20:32:51 +00:00
Livio Amstutz
1132c9d93d
fix: removeUserinfoScopes return new slice (without manipulating passed one) (#110) 2021-07-21 08:27:38 +02:00
Livio Amstutz
8a35b89815
fix: supported ui locales from config (#107) 2021-07-09 09:20:03 +02:00
Livio Amstutz
147c6dca6e fixes 2021-07-06 08:58:35 +02:00
Livio Amstutz
58e27e8073 simplify KeyProvider interface 2021-06-30 14:10:38 +02:00
Livio Amstutz
0b446618c7 custom claims for assertion and jwt profile request 2021-06-23 14:01:31 +02:00
Livio Amstutz
e9fc710b1f Merge branch 'master' into jwt-profile-storage
# Conflicts:
#	pkg/op/verifier_jwt_profile.go
2021-06-23 13:51:20 +02:00
Livio Amstutz
850faa159d
fix: rp verification process (#95)
* fix: rp verification process

* types

* comments

* fix cli client
2021-06-23 11:08:54 +02:00
Livio Amstutz
39fef3e7fb fix: simplify JWTProfileVerifier interface 2021-06-21 14:04:38 +02:00
Livio Amstutz
400f5c4de4
fix: parse max_age and prompt correctly (and change scope type) (#105)
* fix: parse max_age and prompt correctly (and change scope type)

* remove unnecessary omitempty
2021-06-16 08:34:01 +02:00
Livio Amstutz
3e336a4075
fix: check refresh token grant type (#100) 2021-05-31 11:35:03 +02:00
Livio Amstutz
14faebbb77 fix: check grant types and add refresh token to discovery 2021-05-27 13:44:11 +02:00
Livio Amstutz
d362dd7546 handle error 2021-05-11 15:20:22 +02:00
Livio Amstutz
90b87289cb
Update pkg/op/token_code.go
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2021-05-11 15:17:10 +02:00
Livio Amstutz
2a11a1979e rename storage methods and fix mocks 2021-05-11 10:48:11 +02:00
Livio Amstutz
3a46908051 Merge branch 'master' into refresh-token 2021-05-11 10:27:43 +02:00
Livio Amstutz
be04244212 amr and scopes 2021-05-11 10:26:25 +02:00
Livio Amstutz
540a7bd7be improve Loopback check 2021-04-29 12:43:21 +02:00
Livio Amstutz
5119d7aea3 begin refresh token 2021-04-29 09:20:01 +02:00
Livio Amstutz
72fc86164c fix: allow loopback redirect_uri for native apps 2021-04-26 14:31:26 +02:00
Livio Amstutz
a2601f1584
fix: return error when delegating user in jwt profile request (#94) 2021-04-23 11:53:03 +02:00
Livio Amstutz
b258b3cadb fix: url safe encryption with no padding (#93) 2021-04-19 13:41:27 +02:00
Elio Bischof
5cd7bae505
fix: cli client (#92)
* fix: cli client

* fix: print shutdown error correctly
2021-04-08 09:54:39 +02:00
Livio Amstutz
8f6e2c5974 chore: improve signer log messages 2021-03-05 07:53:35 +01:00
Livio Amstutz
d7d7daab2d fix: encoding of basic auth header values 2021-03-05 07:44:37 +01:00
Elio Bischof
f2f509a522
fix: wrap original fetch key error 2021-03-02 23:58:34 +01:00
Livio Amstutz
e1f0456228 merge 2021-02-22 14:57:15 +01:00