zitadel-oidc

History

Mark Laing c0d0ba9b0f feat: Request aware cookie handling (#753 ) * pkg/http: Add `secureCookieFunc` field to CookieHandler. Signed-off-by: Mark Laing <mark.laing@canonical.com> * pkg/http: Add `IsRequestAware` method CookieHandler. Signed-off-by: Mark Laing <mark.laing@canonical.com> * pkg/http: Use `secureCookieFunc` when checking a cookie (if set). Signed-off-by: Mark Laing <mark.laing@canonical.com> * pkg/http: Error on `SetCookie` if cookie handler is request aware. Signed-off-by: Mark Laing <mark.laing@canonical.com> * pkg/http: Add method to set request aware cookies. Signed-off-by: Mark Laing <mark.laing@canonical.com> * pkg/http: Add function to create a new request aware cookie handler. Signed-off-by: Mark Laing <mark.laing@canonical.com> * pkg/client/rp: Update `trySetStateCookie` function signature. Use `SetRequestAwareCookie` if the cookie handle is request aware. This function signature can be updated because it is not exported. Signed-off-by: Mark Laing <mark.laing@canonical.com> * pkg/client/rp: Add `GenerateAndStoreCodeChallengeWithRequest` function. It's not possible to add a `http.Request` argument to `GenerateAndStoreCodeChallenge` as this would be a breaking change. Instead, add a new function that accepts a request argument and call `SetRequestAwareCookie` here. Signed-off-by: Mark Laing <mark.laing@canonical.com> * pkg/client/rp: Update PKCE logic to pass request if required by cookie handler. Signed-off-by: Mark Laing <mark.laing@canonical.com> * pkg/http: Don't set MaxAge if cookie handler is request aware. The securecookie field can be nil. Expect the caller to set max age on the securecookie returned by the secureCookieFunc. Signed-off-by: Mark Laing <mark.laing@canonical.com> * pkg/client: Add integration tests for request aware cookie handling. Adds a new type `cookieSpec` which is accepted as an argument to `RunAuthorizationCodeFlow`. `TestRelyingPartySession` now runs with `wrapServer` true/false and with two cookie handlers, one static and one request aware. The request aware handler extracts encryption keys from a secret using a salt from a "login_id" cookie. Signed-off-by: Mark Laing <mark.laing@canonical.com> --------- Signed-off-by: Mark Laing <mark.laing@canonical.com>		2025-07-16 11:33:03 +00:00
..
client	feat: Request aware cookie handling (#753 )	2025-07-16 11:33:03 +00:00
crypto	feat(crypto): hash algorithm for EdDSA (#638 )	2024-08-21 07:32:13 +00:00
http	feat: Request aware cookie handling (#753 )	2025-07-16 11:33:03 +00:00
oidc	fix: Omit empty assertion fields in client creds request (#745 )	2025-07-02 12:34:13 +00:00
op	feat: exclude OTEL instrumentation via build tag (#770 )	2025-07-16 11:29:59 +00:00
strings	refactor: mark pkg/strings as deprecated in favor of stdlib (#680 )	2024-11-15 18:47:32 +02:00