cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
zitadel-oidc/pkg/client/rp
History
Mark Laing c0d0ba9b0f
feat: Request aware cookie handling (#753) 
* pkg/http: Add `secureCookieFunc` field to CookieHandler.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/http: Add `IsRequestAware` method CookieHandler.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/http: Use `secureCookieFunc` when checking a cookie (if set).

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/http: Error on `SetCookie` if cookie handler is request aware.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/http: Add method to set request aware cookies.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/http: Add function to create a new request aware cookie handler.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/client/rp: Update `trySetStateCookie` function signature.

Use `SetRequestAwareCookie` if the cookie handle is request aware.
This function signature can be updated because it is not exported.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/client/rp: Add `GenerateAndStoreCodeChallengeWithRequest` function.

It's not possible to add a `http.Request` argument to
`GenerateAndStoreCodeChallenge` as this would be a breaking change.
Instead, add a new function that accepts a request argument and call
`SetRequestAwareCookie` here.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/client/rp: Update PKCE logic to pass request if required by cookie handler.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/http: Don't set MaxAge if cookie handler is request aware.

The securecookie field can be nil. Expect the caller to set max age on
the securecookie returned by the secureCookieFunc.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

* pkg/client: Add integration tests for request aware cookie handling.

Adds a new type `cookieSpec` which is accepted as an argument to
`RunAuthorizationCodeFlow`. `TestRelyingPartySession` now runs with
`wrapServer` true/false and with two cookie handlers, one static and one
request aware.

The request aware handler extracts encryption keys from a secret using a
salt from a "login_id" cookie.

Signed-off-by: Mark Laing <mark.laing@canonical.com>

---------

Signed-off-by: Mark Laing <mark.laing@canonical.com>
2025-07-16 11:33:03 +00:00
..
cli upgrade this module to v3 2023-03-20 13:38:21 +02:00
delegation.go upgrade this module to v3 2023-03-20 13:38:21 +02:00
device.go move tracer to client, 2024-03-13 15:45:03 +01:00
errors.go fix: Implement dedicated error for RevokeToken (#508) 2024-01-08 10:01:34 +02:00
jwks.go fix: to propagate context (#593) 2024-04-22 11:40:21 +00:00
log.go feat: go 1.22 and slog migration (#557) 2024-02-28 10:44:14 +01:00
relying_party.go feat: Request aware cookie handling (#753) 2025-07-16 11:33:03 +00:00
relying_party_test.go feat(rp): return oidc.Tokens on token refresh (#423) 2023-08-18 14:36:39 +02:00
tockenexchange.go upgrade this module to v3 2023-03-20 13:38:21 +02:00
userinfo_example_test.go feat: generic Userinfo and Introspect functions (#389) 2023-05-05 12:36:37 +00:00
verifier.go fix: Handle case where verifier Nonce func is nil (#594) 2024-05-02 09:46:12 +02:00
verifier_test.go fix: Handle case where verifier Nonce func is nil (#594) 2024-05-02 09:46:12 +02:00
verifier_tokens_example_test.go upgrade this module to v3 2023-03-20 13:38:21 +02:00