zitadel/internal/domain/request.go

package domain

const (
	OrgDomainPrimaryScope = "urn:zitadel:iam:org:domain:primary:"
	OrgIDScope            = "urn:zitadel:iam:org:id:"
	OrgRoleIDScope        = "urn:zitadel:iam:org:roles:id:"
	OrgDomainPrimaryClaim = "urn:zitadel:iam:org:domain:primary"
	OrgIDClaim            = "urn:zitadel:iam:org:id"
	ProjectIDScope        = "urn:zitadel:iam:org:project:id:"
	ProjectIDScopeZITADEL = "zitadel"
	AudSuffix             = ":aud"
	ProjectScopeZITADEL   = ProjectIDScope + ProjectIDScopeZITADEL + AudSuffix
	SelectIDPScope        = "urn:zitadel:iam:org:idp:id:"
)

// TODO: Change AuthRequest to interface and let oidcauthreqesut implement it
type Request interface {
	Type() AuthRequestType
	IsValid() bool
}

type AuthRequestType int32

const (
	AuthRequestTypeOIDC AuthRequestType = iota
	AuthRequestTypeSAML
	AuthRequestTypeDevice
)

type AuthRequestOIDC struct {
	Scopes        []string
	ResponseType  OIDCResponseType
	ResponseMode  OIDCResponseMode
	Nonce         string
	CodeChallenge *OIDCCodeChallenge
}

func (a *AuthRequestOIDC) Type() AuthRequestType {
	return AuthRequestTypeOIDC
}

func (a *AuthRequestOIDC) IsValid() bool {
	return len(a.Scopes) > 0 &&
		a.CodeChallenge == nil || a.CodeChallenge != nil && a.CodeChallenge.IsValid()
}

type AuthRequestSAML struct {
	ID          string
	BindingType string
	Code        string
	Issuer      string
	IssuerName  string
	Destination string
}

func (a *AuthRequestSAML) Type() AuthRequestType {
	return AuthRequestTypeSAML
}

func (a *AuthRequestSAML) IsValid() bool {
	return true
}

type AuthRequestDevice struct {
	ClientID    string
	DeviceCode  string
	UserCode    string
	Scopes      []string
	Audience    []string
	AppName     string
	ProjectName string
}

func (*AuthRequestDevice) Type() AuthRequestType {
	return AuthRequestTypeDevice
}

func (a *AuthRequestDevice) IsValid() bool {
	return a.DeviceCode != "" && a.UserCode != ""
}
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00			`package domain`

			`const (`
			`OrgDomainPrimaryScope = "urn:zitadel:iam:org:domain:primary:"`
feat: restrict login to specific org by id (scope) (#4294) * feat: add new org scope * change default of UserLoginMustBeDomain to false * return resource owner claims * fix: use email style for first user * fix: ensure email style for default users (backwards compatibility) * change to external domain (as it was before UserLoginMustBeDomain change) * update e2e tests to use email style usernames * document new scope * lint e2e Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> 2022-09-23 14:08:10 +02:00			`OrgIDScope = "urn:zitadel:iam:org:id:"`
feat(oidc): organization roles scope (#8120) # Which Problems Are Solved An admin / application might want to be able to reduce the amount of roles returned in the token, for example if a user is granted to many organizations or for specific cases where the application want to narrow down the access for that token to a specific organization or multiple. This can now be achieved by providing a scope with the id of the organization, resp. multiple scopes for every organization, which should be included. ``` urn:zitadel:iam:org:roles:id:{orgID} ``` Note: the new scope does not work when Introspection / Userinfo are set to legacy mode. # How the Problems Are Solved The user info query now has two variants: 1. Variant that returns all organization authorization grants if the new scope wasn't provided for backward compatibility. 2. Variant that filters the organizations based on the IDs passed in one or more of the above scopes and returns only those authorization grants. The query is defined as a `text/template` and both variants are rendered once in package `init()`. # Additional Changes - In the integration tests `assertProjectRoleClaims` now also checks the org IDs in the roles. # Additional Context - Closes #7996 2024-06-14 10:00:43 +02:00			`OrgRoleIDScope = "urn:zitadel:iam:org:roles:id:"`
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00			`OrgDomainPrimaryClaim = "urn:zitadel:iam:org:domain:primary"`
feat: restrict login to specific org by id (scope) (#4294) * feat: add new org scope * change default of UserLoginMustBeDomain to false * return resource owner claims * fix: use email style for first user * fix: ensure email style for default users (backwards compatibility) * change to external domain (as it was before UserLoginMustBeDomain change) * update e2e tests to use email style usernames * document new scope * lint e2e Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> 2022-09-23 14:08:10 +02:00			`OrgIDClaim = "urn:zitadel:iam:org:id"`
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00			`ProjectIDScope = "urn:zitadel:iam:org:project:id:"`
feat: add ZITADEL project id scope (#4146) * feat: add ZITADEL project id scope * update documentation * documentation * fix scopes * change to lowercase 2022-08-09 09:45:59 +02:00			`ProjectIDScopeZITADEL = "zitadel"`
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00			`AudSuffix = ":aud"`
fix: ignore projectID and origin check for service accounts (#8704) # Which Problems Are Solved Calls with tokens issued through JWT Profile or Client Credentials Grants were no longer possible and threw a "could not read projectid by clientid (AUTH-GHpw2)" error. ZITADEL checks the allowed origins of an application and load its projectID into the context on any API call. Tokens from service accounts did not contain any clientID and therefore never did that check. But due to a change in https://github.com/zitadel/zitadel/pull/8580, were the service user id was set as client_id in the OIDC session to fix the introspection response (https://github.com/zitadel/zitadel/issues/8590). # How the Problems Are Solved - Check if the project and origin were retrieved and only then check the origins # Additional Changes None. # Additional Context - closes https://github.com/zitadel/zitadel/issues/8676 - relates to https://github.com/zitadel/zitadel/pull/8580 (released on 2.62.0) - relates to https://github.com/zitadel/zitadel/issues/8590 2024-10-01 16:38:28 +02:00			`ProjectScopeZITADEL = ProjectIDScope + ProjectIDScopeZITADEL + AudSuffix`
fix: change to repository event types and removed unused code (#3386) * fix: change to repository event types and removed unused code * some fixes * remove unused code 2022-03-31 11:36:26 +02:00			`SelectIDPScope = "urn:zitadel:iam:org:idp:id:"`
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00			`)`

feat: instance remove (#4345) * feat(instance): add remove instance event with projections cleanup * fix(instance): corrected used id to clean up projections * fix merge * fix: correct unit test projection names * fix: current sequence of lists and query for ensuring keypair based projections Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com> 2022-10-20 13:36:52 +01:00			`// TODO: Change AuthRequest to interface and let oidcauthreqesut implement it`
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00			`type Request interface {`
			`Type() AuthRequestType`
			`IsValid() bool`
			`}`

			`type AuthRequestType int32`

			`const (`
			`AuthRequestTypeOIDC AuthRequestType = iota`
			`AuthRequestTypeSAML`
feat: device authorization RFC 8628 (#5646) * device auth: implement the write events * add grant type device code * fix(init): check if default value implements stringer --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2023-04-19 11:46:02 +03:00			`AuthRequestTypeDevice`
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00			`)`

			`type AuthRequestOIDC struct {`
			`Scopes []string`
			`ResponseType OIDCResponseType`
fix(oidc): store requested response_mode (#8145) # Which Problems Are Solved Zitadel never stored or returned the requested `response_mode` in oidc Auth Requests. This caused the oidc library to fallback to the default based on the response_type. # How the Problems Are Solved - Store the `response_mode` in the Auth request repo - Store the `response_mode` in the Auth request v2 events - Return the `resonse_mode` from the Auth Request v1 and v2 `ResponseMode()` methods. (Was hard-coded to an empty string) # Additional Changes - Populate the `response_modes_supported` to the oidc Discovery Configuration. When it was empty, the standard specifies the default of `query` and `fragment`. However, our oidc library also supports `form_post` and by this fix, zitadel now also supports this. # Additional Context - Closes #6586 - Reported https://discord.com/channels/927474939156643850/1151508313717084220 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2024-06-17 12:50:12 +03:00			`ResponseMode OIDCResponseMode`
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00			`Nonce string`
			`CodeChallenge *OIDCCodeChallenge`
			`}`

			`func (a *AuthRequestOIDC) Type() AuthRequestType {`
			`return AuthRequestTypeOIDC`
			`}`

			`func (a *AuthRequestOIDC) IsValid() bool {`
			`return len(a.Scopes) > 0 &&`
			`a.CodeChallenge == nil \|\| a.CodeChallenge != nil && a.CodeChallenge.IsValid()`
			`}`

			`type AuthRequestSAML struct {`
feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 17:18:08 +01:00			`ID string`
			`BindingType string`
			`Code string`
			`Issuer string`
			`IssuerName string`
			`Destination string`
feat: User login commands (#1228) * feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs 2021-02-08 11:30:30 +01:00			`}`

			`func (a *AuthRequestSAML) Type() AuthRequestType {`
			`return AuthRequestTypeSAML`
			`}`

			`func (a *AuthRequestSAML) IsValid() bool {`
			`return true`
			`}`
feat: device authorization RFC 8628 (#5646) * device auth: implement the write events * add grant type device code * fix(init): check if default value implements stringer --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2023-04-19 11:46:02 +03:00
			`type AuthRequestDevice struct {`
feat(api): allow Device Authorization Grant using custom login UI (#9387) # Which Problems Are Solved The OAuth2 Device Authorization Grant could not yet been handled through the new login UI, resp. using the session API. This PR adds the ability for the login UI to get the required information to display the user and handle their decision (approve with authorization or deny) using the OIDC Service API. # How the Problems Are Solved - Added a `GetDeviceAuthorizationRequest` endpoint, which allows getting the `id`, `client_id`, `scope`, `app_name` and `project_name` of the device authorization request - Added a `AuthorizeOrDenyDeviceAuthorization` endpoint, which allows to approve/authorize with the session information or deny the request. The identification of the request is done by the `device_authorization_id` / `id` returned in the previous request. - To prevent leaking the `device_code` to the UI, but still having an easy reference, it's encrypted and returned as `id`, resp. decrypted when used. - Fixed returned error types for device token responses on token endpoint: - Explicitly return `access_denied` (without internal error) when user denied the request - Default to `invalid_grant` instead of `access_denied` - Explicitly check on initial state when approving the reqeust - Properly handle done case (also relates to initial check) - Documented the flow and handling in custom UIs (according to OIDC / SAML) # Additional Changes - fixed some typos and punctuation in the corresponding OIDC / SAML guides. - added some missing translations for auth and saml request # Additional Context - closes #6239 --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> 2025-02-25 07:33:13 +01:00			`ClientID string`
			`DeviceCode string`
			`UserCode string`
			`Scopes []string`
			`Audience []string`
			`AppName string`
			`ProjectName string`
feat: device authorization RFC 8628 (#5646) * device auth: implement the write events * add grant type device code * fix(init): check if default value implements stringer --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2023-04-19 11:46:02 +03:00			`}`

			`func (*AuthRequestDevice) Type() AuthRequestType {`
			`return AuthRequestTypeDevice`
			`}`

			`func (a *AuthRequestDevice) IsValid() bool {`
feat(oidc): id token for device authorization (#7088) * cleanup todo * pass id token details to oidc * feat(oidc): id token for device authorization This changes updates to the newest oidc version, so the Device Authorization grant can return ID tokens when the scope `openid` is set. There is also some refactoring done, so that the eventstore can be queried directly when polling for state. The projection is cleaned up to a minimum with only data required for the login UI. * try to be explicit wit hthe timezone to fix github * pin oidc v3.8.0 * remove TBD entry 2023-12-20 14:21:08 +02:00			`return a.DeviceCode != "" && a.UserCode != ""`
feat: device authorization RFC 8628 (#5646) * device auth: implement the write events * add grant type device code * fix(init): check if default value implements stringer --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2023-04-19 11:46:02 +03:00			`}`