zitadel/internal/idp/providers/oidc/session.go

package oidc

import (
	"context"
	"errors"

	"github.com/zitadel/oidc/v3/pkg/client/rp"
	"github.com/zitadel/oidc/v3/pkg/oidc"
	"golang.org/x/text/language"

	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/idp"
)

var ErrCodeMissing = errors.New("no auth code provided")

var _ idp.Session = (*Session)(nil)

// Session is the [idp.Session] implementation for the OIDC provider.
type Session struct {
	Provider *Provider
	AuthURL  string
	Code     string
	Tokens   *oidc.Tokens[*oidc.IDTokenClaims]
}

// GetAuth implements the [idp.Session] interface.
func (s *Session) GetAuth(ctx context.Context) (string, bool) {
	return idp.Redirect(s.AuthURL)
}

// FetchUser implements the [idp.Session] interface.
// It will execute an OIDC code exchange if needed to retrieve the tokens,
// call the userinfo endpoint and map the received information into an [idp.User].
func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
	if s.Tokens == nil {
		if err = s.Authorize(ctx); err != nil {
			return nil, err
		}
	}
	info, err := rp.Userinfo[*oidc.UserInfo](ctx,
		s.Tokens.AccessToken,
		s.Tokens.TokenType,
		s.Tokens.IDTokenClaims.GetSubject(),
		s.Provider.RelyingParty,
	)
	if err != nil {
		return nil, err
	}
	if s.Provider.useIDToken {
		info = s.Tokens.IDTokenClaims.GetUserInfo()
	}
	u := s.Provider.userInfoMapper(info)
	return u, nil
}

func (s *Session) Authorize(ctx context.Context) (err error) {
	if s.Code == "" {
		return ErrCodeMissing
	}
	s.Tokens, err = rp.CodeExchange[*oidc.IDTokenClaims](ctx, s.Code, s.Provider.RelyingParty)
	return err
}

func NewUser(info *oidc.UserInfo) *User {
	return &User{UserInfo: info}
}

type User struct {
	*oidc.UserInfo
}

func (u *User) GetID() string {
	return u.Subject
}

func (u *User) GetFirstName() string {
	return u.GivenName
}

func (u *User) GetLastName() string {
	return u.FamilyName
}

func (u *User) GetDisplayName() string {
	return u.Name
}

func (u *User) GetNickname() string {
	return u.Nickname
}

func (u *User) GetPreferredUsername() string {
	return u.PreferredUsername
}

func (u *User) GetEmail() domain.EmailAddress {
	return domain.EmailAddress(u.UserInfo.Email)
}

func (u *User) IsEmailVerified() bool {
	return bool(u.EmailVerified)
}

func (u *User) GetPhone() domain.PhoneNumber {
	return domain.PhoneNumber(u.PhoneNumber)
}

func (u *User) IsPhoneVerified() bool {
	return u.PhoneNumberVerified
}

func (u *User) GetPreferredLanguage() language.Tag {
	return u.Locale.Tag()
}

func (u *User) GetAvatarURL() string {
	return u.Picture
}

func (u *User) GetProfile() string {
	return u.Profile
}
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`package oidc`

			`import (`
			`"context"`
			`"errors"`

chore(deps): upgrade to oidc v3 (#6737) This pr upgrades oidc to v3 . Function signature changes have been migrated as well. Specifically there are more client calls that take a context now. Where feasable a context is added to those calls. Where a context is not (easily) available context.TODO() is used as a reminder for when it does. Related to #6619 2023-10-17 15:19:51 +00:00			`"github.com/zitadel/oidc/v3/pkg/client/rp"`
			`"github.com/zitadel/oidc/v3/pkg/oidc"`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`"golang.org/x/text/language"`

fix: make user creation errors helpful (#5382) * fix: make user creation errors helpful * fix linting and unit testing errors * fix linting * make zitadel config reusable * fix human validations * translate ssr errors * make zitadel config reusable * cover more translations for ssr * handle email validation message centrally * fix unit tests * fix linting * align signatures * use more precise wording * handle phone validation message centrally * fix: return specific profile errors * docs: edit comments * fix unit tests --------- Co-authored-by: Silvan <silvan.reusser@gmail.com> 2023-03-14 19:20:38 +00:00			`"github.com/zitadel/zitadel/internal/domain"`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`"github.com/zitadel/zitadel/internal/idp"`
			`)`

			`var ErrCodeMissing = errors.New("no auth code provided")`

			`var _ idp.Session = (*Session)(nil)`

			`// Session is the [idp.Session] implementation for the OIDC provider.`
			`type Session struct {`
			`Provider *Provider`
			`AuthURL string`
			`Code string`
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`Tokens oidc.Tokens[oidc.IDTokenClaims]`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`}`

feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-09-29 09:26:14 +00:00			`// GetAuth implements the [idp.Session] interface.`
			`func (s *Session) GetAuth(ctx context.Context) (string, bool) {`
			`return idp.Redirect(s.AuthURL)`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`}`

			`// FetchUser implements the [idp.Session] interface.`
			`// It will execute an OIDC code exchange if needed to retrieve the tokens,`
			`// call the userinfo endpoint and map the received information into an [idp.User].`
			`func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {`
			`if s.Tokens == nil {`
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch> 2023-08-31 06:39:16 +00:00			`if err = s.Authorize(ctx); err != nil {`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`return nil, err`
			`}`
			`}`
chore(deps): upgrade to oidc v3 (#6737) This pr upgrades oidc to v3 . Function signature changes have been migrated as well. Specifically there are more client calls that take a context now. Where feasable a context is added to those calls. Where a context is not (easily) available context.TODO() is used as a reminder for when it does. Related to #6619 2023-10-17 15:19:51 +00:00			`info, err := rp.Userinfo[*oidc.UserInfo](ctx,`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`s.Tokens.AccessToken,`
			`s.Tokens.TokenType,`
			`s.Tokens.IDTokenClaims.GetSubject(),`
			`s.Provider.RelyingParty,`
			`)`
			`if err != nil {`
			`return nil, err`
			`}`
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests 2023-03-16 15:47:22 +00:00			`if s.Provider.useIDToken {`
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`info = s.Tokens.IDTokenClaims.GetUserInfo()`
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests 2023-03-16 15:47:22 +00:00			`}`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`u := s.Provider.userInfoMapper(info)`
			`return u, nil`
			`}`

feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch> 2023-08-31 06:39:16 +00:00			`func (s *Session) Authorize(ctx context.Context) (err error) {`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`if s.Code == "" {`
			`return ErrCodeMissing`
			`}`
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`s.Tokens, err = rp.CodeExchange[*oidc.IDTokenClaims](ctx, s.Code, s.Provider.RelyingParty)`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`return err`
			`}`

chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`func NewUser(info oidc.UserInfo) User {`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`return &User{UserInfo: info}`
			`}`

			`type User struct {`
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`*oidc.UserInfo`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`}`

			`func (u *User) GetID() string {`
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`return u.Subject`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`}`

			`func (u *User) GetFirstName() string {`
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`return u.GivenName`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`}`

			`func (u *User) GetLastName() string {`
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`return u.FamilyName`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`}`

			`func (u *User) GetDisplayName() string {`
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`return u.Name`
			`}`

			`func (u *User) GetNickname() string {`
			`return u.Nickname`
			`}`

			`func (u *User) GetPreferredUsername() string {`
			`return u.PreferredUsername`
			`}`

			`func (u *User) GetEmail() domain.EmailAddress {`
			`return domain.EmailAddress(u.UserInfo.Email)`
			`}`

			`func (u *User) IsEmailVerified() bool {`
			`return bool(u.EmailVerified)`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`}`

fix: make user creation errors helpful (#5382) * fix: make user creation errors helpful * fix linting and unit testing errors * fix linting * make zitadel config reusable * fix human validations * translate ssr errors * make zitadel config reusable * cover more translations for ssr * handle email validation message centrally * fix unit tests * fix linting * align signatures * use more precise wording * handle phone validation message centrally * fix: return specific profile errors * docs: edit comments * fix unit tests --------- Co-authored-by: Silvan <silvan.reusser@gmail.com> 2023-03-14 19:20:38 +00:00			`func (u *User) GetPhone() domain.PhoneNumber {`
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`return domain.PhoneNumber(u.PhoneNumber)`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`}`

			`func (u *User) IsPhoneVerified() bool {`
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`return u.PhoneNumberVerified`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`}`

			`func (u *User) GetPreferredLanguage() language.Tag {`
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`return u.Locale.Tag()`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`}`

			`func (u *User) GetAvatarURL() string {`
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`return u.Picture`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 07:11:40 +00:00			`}`
fix: make user creation errors helpful (#5382) * fix: make user creation errors helpful * fix linting and unit testing errors * fix linting * make zitadel config reusable * fix human validations * translate ssr errors * make zitadel config reusable * cover more translations for ssr * handle email validation message centrally * fix unit tests * fix linting * align signatures * use more precise wording * handle phone validation message centrally * fix: return specific profile errors * docs: edit comments * fix unit tests --------- Co-authored-by: Silvan <silvan.reusser@gmail.com> 2023-03-14 19:20:38 +00:00
chore: upgrade to oidc v2 release (#5437) * chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-03-28 11:28:56 +00:00			`func (u *User) GetProfile() string {`
			`return u.Profile`
fix: make user creation errors helpful (#5382) * fix: make user creation errors helpful * fix linting and unit testing errors * fix linting * make zitadel config reusable * fix human validations * translate ssr errors * make zitadel config reusable * cover more translations for ssr * handle email validation message centrally * fix unit tests * fix linting * align signatures * use more precise wording * handle phone validation message centrally * fix: return specific profile errors * docs: edit comments * fix unit tests --------- Co-authored-by: Silvan <silvan.reusser@gmail.com> 2023-03-14 19:20:38 +00:00			`}`