cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
zitadel-oidc/pkg/http
History
Mark Laing c0d0ba9b0f
feat: Request aware cookie handling (#753) 
* pkg/http: Add `secureCookieFunc` field to CookieHandler.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/http: Add `IsRequestAware` method CookieHandler.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/http: Use `secureCookieFunc` when checking a cookie (if set).

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/http: Error on `SetCookie` if cookie handler is request aware.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/http: Add method to set request aware cookies.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/http: Add function to create a new request aware cookie handler.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/client/rp: Update `trySetStateCookie` function signature.

Use `SetRequestAwareCookie` if the cookie handle is request aware.
This function signature can be updated because it is not exported.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/client/rp: Add `GenerateAndStoreCodeChallengeWithRequest` function.

It's not possible to add a `http.Request` argument to
`GenerateAndStoreCodeChallenge` as this would be a breaking change.
Instead, add a new function that accepts a request argument and call
`SetRequestAwareCookie` here.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/client/rp: Update PKCE logic to pass request if required by cookie handler.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/http: Don't set MaxAge if cookie handler is request aware.

The securecookie field can be nil. Expect the caller to set max age on
the securecookie returned by the secureCookieFunc.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/client: Add integration tests for request aware cookie handling.

Adds a new type `cookieSpec` which is accepted as an argument to
`RunAuthorizationCodeFlow`. `TestRelyingPartySession` now runs with
`wrapServer` true/false and with two cookie handlers, one static and one
request aware.

The request aware handler extracts encryption keys from a secret using a
salt from a "login_id" cookie.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

---------

Signed-off-by: Mark Laing <mark.laing@canonical.com>
2025-07-16 11:33:03 +00:00
..
cookie.go feat: Request aware cookie handling (#753) 2025-07-16 11:33:03 +00:00
http.go feat: return oidc.Error in case of call token failure (#571) 2024-04-01 13:55:22 +00:00
marshal.go chore: replace interface{} with any (#448) 2023-10-12 12:41:04 +03:00
marshal_test.go chore: replace interface{} with any (#448) 2023-10-12 12:41:04 +03:00