2020-06-05 07:50:04 +02:00
|
|
|
package oidc
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2023-07-10 15:27:00 +02:00
|
|
|
"encoding/base64"
|
2024-05-16 08:07:56 +03:00
|
|
|
"fmt"
|
|
|
|
"net/http"
|
|
|
|
"slices"
|
2020-10-16 07:49:38 +02:00
|
|
|
"strings"
|
2020-06-05 07:50:04 +02:00
|
|
|
"time"
|
|
|
|
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/logging"
|
2023-10-17 18:19:51 +03:00
|
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/op"
|
2020-06-05 07:50:04 +02:00
|
|
|
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
2023-07-10 15:27:00 +02:00
|
|
|
http_utils "github.com/zitadel/zitadel/internal/api/http"
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/api/http/middleware"
|
2024-09-04 12:14:50 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/handler"
|
2023-07-10 15:27:00 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/command"
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
|
|
"github.com/zitadel/zitadel/internal/user/model"
|
2023-12-08 16:30:55 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
2020-06-05 07:50:04 +02:00
|
|
|
)
|
|
|
|
|
2023-07-10 15:27:00 +02:00
|
|
|
const (
|
|
|
|
LoginClientHeader = "x-zitadel-login-client"
|
|
|
|
)
|
|
|
|
|
2020-10-21 10:18:34 +02:00
|
|
|
func (o *OPStorage) CreateAuthRequest(ctx context.Context, req *oidc.AuthRequest, userID string) (_ op.AuthRequest, err error) {
|
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
2024-01-18 08:10:49 +02:00
|
|
|
defer func() {
|
|
|
|
err = oidcError(err)
|
|
|
|
span.EndWithError(err)
|
|
|
|
}()
|
2023-07-10 15:27:00 +02:00
|
|
|
|
|
|
|
headers, _ := http_utils.HeadersFromCtx(ctx)
|
|
|
|
if loginClient := headers.Get(LoginClientHeader); loginClient != "" {
|
|
|
|
return o.createAuthRequestLoginClient(ctx, req, userID, loginClient)
|
|
|
|
}
|
|
|
|
|
|
|
|
return o.createAuthRequest(ctx, req, userID)
|
|
|
|
}
|
|
|
|
|
2024-04-03 09:06:21 +03:00
|
|
|
func (o *OPStorage) createAuthRequestScopeAndAudience(ctx context.Context, clientID string, reqScope []string) (scope, audience []string, err error) {
|
|
|
|
project, err := o.query.ProjectByClientID(ctx, clientID)
|
2023-07-10 15:27:00 +02:00
|
|
|
if err != nil {
|
2024-03-21 19:42:44 +02:00
|
|
|
return nil, nil, err
|
2023-07-10 15:27:00 +02:00
|
|
|
}
|
2024-04-03 09:06:21 +03:00
|
|
|
scope, err = o.assertProjectRoleScopesByProject(ctx, project, reqScope)
|
2023-07-10 15:27:00 +02:00
|
|
|
if err != nil {
|
2024-03-21 19:42:44 +02:00
|
|
|
return nil, nil, err
|
2023-07-10 15:27:00 +02:00
|
|
|
}
|
2024-03-21 19:42:44 +02:00
|
|
|
audience, err = o.audienceFromProjectID(ctx, project.ID)
|
|
|
|
audience = domain.AddAudScopeToAudience(ctx, audience, scope)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
return scope, audience, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (o *OPStorage) createAuthRequestLoginClient(ctx context.Context, req *oidc.AuthRequest, hintUserID, loginClient string) (op.AuthRequest, error) {
|
2024-04-03 09:06:21 +03:00
|
|
|
scope, audience, err := o.createAuthRequestScopeAndAudience(ctx, req.ClientID, req.Scopes)
|
2023-07-10 15:27:00 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
authRequest := &command.AuthRequest{
|
2024-05-16 08:07:56 +03:00
|
|
|
LoginClient: loginClient,
|
|
|
|
ClientID: req.ClientID,
|
|
|
|
RedirectURI: req.RedirectURI,
|
|
|
|
State: req.State,
|
|
|
|
Nonce: req.Nonce,
|
|
|
|
Scope: scope,
|
|
|
|
Audience: audience,
|
|
|
|
NeedRefreshToken: slices.Contains(scope, oidc.ScopeOfflineAccess),
|
|
|
|
ResponseType: ResponseTypeToBusiness(req.ResponseType),
|
2024-06-17 12:50:12 +03:00
|
|
|
ResponseMode: ResponseModeToBusiness(req.ResponseMode),
|
2024-05-16 08:07:56 +03:00
|
|
|
CodeChallenge: CodeChallengeToBusiness(req.CodeChallenge, req.CodeChallengeMethod),
|
|
|
|
Prompt: PromptToBusiness(req.Prompt),
|
|
|
|
UILocales: UILocalesToBusiness(req.UILocales),
|
|
|
|
MaxAge: MaxAgeToBusiness(req.MaxAge),
|
2023-07-10 15:27:00 +02:00
|
|
|
}
|
|
|
|
if req.LoginHint != "" {
|
|
|
|
authRequest.LoginHint = &req.LoginHint
|
|
|
|
}
|
|
|
|
if hintUserID != "" {
|
|
|
|
authRequest.HintUserID = &hintUserID
|
|
|
|
}
|
|
|
|
|
|
|
|
aar, err := o.command.AddAuthRequest(ctx, authRequest)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &AuthRequestV2{aar}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (o *OPStorage) createAuthRequest(ctx context.Context, req *oidc.AuthRequest, userID string) (_ op.AuthRequest, err error) {
|
2020-08-31 08:49:35 +02:00
|
|
|
userAgentID, ok := middleware.UserAgentIDFromCtx(ctx)
|
2020-06-05 07:50:04 +02:00
|
|
|
if !ok {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "OIDC-sd436", "no user agent id")
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
2024-04-03 09:06:21 +03:00
|
|
|
scope, audience, err := o.createAuthRequestScopeAndAudience(ctx, req.ClientID, req.Scopes)
|
2020-10-16 07:49:38 +02:00
|
|
|
if err != nil {
|
2024-03-21 19:42:44 +02:00
|
|
|
return nil, err
|
2020-10-16 07:49:38 +02:00
|
|
|
}
|
2024-03-21 19:42:44 +02:00
|
|
|
req.Scopes = scope
|
|
|
|
authRequest := CreateAuthRequestToBusiness(ctx, req, userAgentID, userID, audience)
|
2020-06-05 07:50:04 +02:00
|
|
|
resp, err := o.repo.CreateAuthRequest(ctx, authRequest)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return AuthRequestFromBusiness(resp)
|
|
|
|
}
|
|
|
|
|
2023-07-10 15:27:00 +02:00
|
|
|
func (o *OPStorage) audienceFromProjectID(ctx context.Context, projectID string) ([]string, error) {
|
|
|
|
projectIDQuery, err := query.NewAppProjectIDSearchQuery(projectID)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2024-01-18 08:10:49 +02:00
|
|
|
appIDs, err := o.query.SearchClientIDs(ctx, &query.AppSearchQueries{Queries: []query.SearchQuery{projectIDQuery}}, true)
|
2023-07-10 15:27:00 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return append(appIDs, projectID), nil
|
|
|
|
}
|
|
|
|
|
2020-10-21 10:18:34 +02:00
|
|
|
func (o *OPStorage) AuthRequestByID(ctx context.Context, id string) (_ op.AuthRequest, err error) {
|
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
2024-01-18 08:10:49 +02:00
|
|
|
defer func() {
|
|
|
|
err = oidcError(err)
|
|
|
|
span.EndWithError(err)
|
|
|
|
}()
|
2023-07-10 15:27:00 +02:00
|
|
|
|
|
|
|
if strings.HasPrefix(id, command.IDPrefixV2) {
|
|
|
|
req, err := o.command.GetCurrentAuthRequest(ctx, id)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &AuthRequestV2{req}, nil
|
|
|
|
}
|
|
|
|
|
2020-08-31 08:49:35 +02:00
|
|
|
userAgentID, ok := middleware.UserAgentIDFromCtx(ctx)
|
|
|
|
if !ok {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "OIDC-D3g21", "no user agent id")
|
2020-08-31 08:49:35 +02:00
|
|
|
}
|
2022-04-05 07:58:09 +02:00
|
|
|
resp, err := o.repo.AuthRequestByIDCheckLoggedIn(ctx, id, userAgentID)
|
2020-06-05 07:50:04 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return AuthRequestFromBusiness(resp)
|
|
|
|
}
|
|
|
|
|
2020-10-21 10:18:34 +02:00
|
|
|
func (o *OPStorage) AuthRequestByCode(ctx context.Context, code string) (_ op.AuthRequest, err error) {
|
2024-05-16 08:07:56 +03:00
|
|
|
panic(o.panicErr("AuthRequestByCode"))
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
|
|
|
|
2023-07-10 15:27:00 +02:00
|
|
|
// decryptGrant decrypts a code or refresh_token
|
|
|
|
func (o *OPStorage) decryptGrant(grant string) (string, error) {
|
|
|
|
decodedGrant, err := base64.RawURLEncoding.DecodeString(grant)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return o.encAlg.DecryptString(decodedGrant, o.encAlg.EncryptionKeyID())
|
|
|
|
}
|
|
|
|
|
2020-10-21 10:18:34 +02:00
|
|
|
func (o *OPStorage) SaveAuthCode(ctx context.Context, id, code string) (err error) {
|
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
2024-01-18 08:10:49 +02:00
|
|
|
defer func() {
|
|
|
|
err = oidcError(err)
|
|
|
|
span.EndWithError(err)
|
|
|
|
}()
|
2023-07-10 15:27:00 +02:00
|
|
|
|
|
|
|
if strings.HasPrefix(id, command.IDPrefixV2) {
|
|
|
|
return o.command.AddAuthRequestCode(ctx, id, code)
|
|
|
|
}
|
|
|
|
|
2020-08-31 08:49:35 +02:00
|
|
|
userAgentID, ok := middleware.UserAgentIDFromCtx(ctx)
|
|
|
|
if !ok {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "OIDC-Dgus2", "no user agent id")
|
2020-08-31 08:49:35 +02:00
|
|
|
}
|
2022-04-05 07:58:09 +02:00
|
|
|
return o.repo.SaveAuthCode(ctx, id, code, userAgentID)
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
|
|
|
|
2020-10-21 10:18:34 +02:00
|
|
|
func (o *OPStorage) DeleteAuthRequest(ctx context.Context, id string) (err error) {
|
2024-05-16 08:07:56 +03:00
|
|
|
panic(o.panicErr("DeleteAuthRequest"))
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
|
|
|
|
2024-05-16 08:07:56 +03:00
|
|
|
func (o *OPStorage) CreateAccessToken(ctx context.Context, req op.TokenRequest) (string, time.Time, error) {
|
|
|
|
panic(o.panicErr("CreateAccessToken"))
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
|
|
|
|
2024-05-16 08:07:56 +03:00
|
|
|
func (o *OPStorage) CreateAccessAndRefreshTokens(context.Context, op.TokenRequest, string) (string, string, time.Time, error) {
|
|
|
|
panic(o.panicErr("CreateAccessAndRefreshTokens"))
|
|
|
|
}
|
2023-10-25 14:09:15 +02:00
|
|
|
|
2024-05-16 08:07:56 +03:00
|
|
|
func (*OPStorage) panicErr(method string) error {
|
|
|
|
return fmt.Errorf("OPStorage.%s should not be called anymore. This is a bug. Please report https://github.com/zitadel/zitadel/issues", method)
|
2021-05-20 13:33:35 +02:00
|
|
|
}
|
|
|
|
|
2023-07-10 15:27:00 +02:00
|
|
|
func (o *OPStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (_ op.RefreshTokenRequest, err error) {
|
2024-05-16 08:07:56 +03:00
|
|
|
panic("TokenRequestByRefreshToken should not be called anymore. This is a bug. Please report https://github.com/zitadel/zitadel/issues")
|
2021-05-20 13:33:35 +02:00
|
|
|
}
|
|
|
|
|
2020-10-21 10:18:34 +02:00
|
|
|
func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID string) (err error) {
|
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
2024-01-18 08:10:49 +02:00
|
|
|
defer func() {
|
|
|
|
err = oidcError(err)
|
|
|
|
span.EndWithError(err)
|
|
|
|
}()
|
2020-08-31 08:49:35 +02:00
|
|
|
userAgentID, ok := middleware.UserAgentIDFromCtx(ctx)
|
2020-06-05 07:50:04 +02:00
|
|
|
if !ok {
|
2022-07-27 09:49:16 +02:00
|
|
|
logging.Error("no user agent id")
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowPreconditionFailed(nil, "OIDC-fso7F", "no user agent id")
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
2021-02-08 11:30:30 +01:00
|
|
|
userIDs, err := o.repo.UserSessionUserIDsByAgentID(ctx, userAgentID)
|
|
|
|
if err != nil {
|
2022-07-27 09:49:16 +02:00
|
|
|
logging.WithError(err).Error("error retrieving user sessions")
|
2021-02-08 11:30:30 +01:00
|
|
|
return err
|
|
|
|
}
|
2021-07-19 15:12:00 +02:00
|
|
|
if len(userIDs) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
2022-03-24 14:00:24 +01:00
|
|
|
data := authz.CtxData{
|
|
|
|
UserID: userID,
|
|
|
|
}
|
|
|
|
err = o.command.HumansSignOut(authz.SetCtxData(ctx, data), userAgentID, userIDs)
|
2022-07-27 09:49:16 +02:00
|
|
|
logging.OnError(err).Error("error signing out")
|
2021-07-08 13:55:21 +02:00
|
|
|
return err
|
2020-06-05 07:50:04 +02:00
|
|
|
}
|
|
|
|
|
2023-07-19 13:17:39 +02:00
|
|
|
func (o *OPStorage) TerminateSessionFromRequest(ctx context.Context, endSessionRequest *op.EndSessionRequest) (redirectURI string, err error) {
|
2023-07-17 14:33:37 +02:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
2024-01-18 08:10:49 +02:00
|
|
|
defer func() {
|
|
|
|
err = oidcError(err)
|
|
|
|
span.EndWithError(err)
|
|
|
|
}()
|
2023-07-17 14:33:37 +02:00
|
|
|
|
2023-07-19 13:17:39 +02:00
|
|
|
// check for the login client header
|
|
|
|
headers, _ := http_utils.HeadersFromCtx(ctx)
|
2024-05-16 08:07:56 +03:00
|
|
|
// in case there is no id_token_hint, redirect to the UI and let it decide which session to terminate
|
|
|
|
if headers.Get(LoginClientHeader) != "" && endSessionRequest.IDTokenHintClaims == nil {
|
|
|
|
return o.defaultLogoutURLV2 + endSessionRequest.RedirectURI, nil
|
2023-07-19 13:17:39 +02:00
|
|
|
}
|
|
|
|
|
2024-05-16 08:07:56 +03:00
|
|
|
// If there is no login client header and no id_token_hint or the id_token_hint does not have a session ID,
|
2024-09-04 12:14:50 +02:00
|
|
|
// do a v1 Terminate session (which terminates all sessions of the user agent, identified by cookie).
|
2024-05-16 08:07:56 +03:00
|
|
|
if endSessionRequest.IDTokenHintClaims == nil || endSessionRequest.IDTokenHintClaims.SessionID == "" {
|
|
|
|
return endSessionRequest.RedirectURI, o.TerminateSession(ctx, endSessionRequest.UserID, endSessionRequest.ClientID)
|
2023-07-19 13:17:39 +02:00
|
|
|
}
|
|
|
|
|
2024-09-04 12:14:50 +02:00
|
|
|
// If the sessionID is prefixed by V1, we also terminate a v1 session.
|
|
|
|
if strings.HasPrefix(endSessionRequest.IDTokenHintClaims.SessionID, handler.IDPrefixV1) {
|
|
|
|
err = o.terminateV1Session(ctx, endSessionRequest.UserID, endSessionRequest.IDTokenHintClaims.SessionID)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return endSessionRequest.RedirectURI, nil
|
|
|
|
}
|
|
|
|
|
2024-05-16 08:07:56 +03:00
|
|
|
// terminate the v2 session of the id_token_hint
|
2023-07-19 13:17:39 +02:00
|
|
|
_, err = o.command.TerminateSessionWithoutTokenCheck(ctx, endSessionRequest.IDTokenHintClaims.SessionID)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return endSessionRequest.RedirectURI, nil
|
|
|
|
}
|
|
|
|
|
2024-09-04 12:14:50 +02:00
|
|
|
// terminateV1Session terminates "v1" sessions created through the login UI.
|
|
|
|
// Depending on the flag, we either terminate a single session or all of the user agent
|
|
|
|
func (o *OPStorage) terminateV1Session(ctx context.Context, userID, sessionID string) error {
|
|
|
|
ctx = authz.SetCtxData(ctx, authz.CtxData{UserID: userID})
|
|
|
|
// if the flag is active we only terminate the specific session
|
|
|
|
if authz.GetFeatures(ctx).OIDCSingleV1SessionTermination {
|
|
|
|
userAgentID, err := o.repo.UserAgentIDBySessionID(ctx, sessionID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return o.command.HumansSignOut(ctx, userAgentID, []string{userID})
|
|
|
|
}
|
|
|
|
// otherwise we search for all active sessions within the same user agent of the current session id
|
|
|
|
userAgentID, userIDs, err := o.repo.ActiveUserIDsBySessionID(ctx, sessionID)
|
|
|
|
if err != nil {
|
|
|
|
logging.WithError(err).Error("error retrieving user sessions")
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if len(userIDs) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return o.command.HumansSignOut(ctx, userAgentID, userIDs)
|
|
|
|
}
|
|
|
|
|
2023-07-19 13:17:39 +02:00
|
|
|
func (o *OPStorage) RevokeToken(ctx context.Context, token, userID, clientID string) (err *oidc.Error) {
|
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
defer func() {
|
|
|
|
// check for nil, because `err` is not an error and EndWithError would panic
|
|
|
|
if err == nil {
|
|
|
|
span.End()
|
|
|
|
return
|
|
|
|
}
|
|
|
|
span.EndWithError(err)
|
|
|
|
}()
|
|
|
|
|
2023-07-17 14:33:37 +02:00
|
|
|
if strings.HasPrefix(token, command.IDPrefixV2) {
|
|
|
|
err := o.command.RevokeOIDCSessionToken(ctx, token, clientID)
|
|
|
|
if err == nil {
|
|
|
|
return nil
|
|
|
|
}
|
2023-12-08 16:30:55 +02:00
|
|
|
if zerrors.IsPreconditionFailed(err) {
|
2023-07-17 14:33:37 +02:00
|
|
|
return oidc.ErrInvalidClient().WithDescription("token was not issued for this client")
|
|
|
|
}
|
2024-08-20 09:45:24 +03:00
|
|
|
return oidc.ErrServerError().WithParent(err).WithReturnParentToClient(authz.GetFeatures(ctx).DebugOIDCParentError)
|
2023-07-17 14:33:37 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return o.revokeTokenV1(ctx, token, userID, clientID)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (o *OPStorage) revokeTokenV1(ctx context.Context, token, userID, clientID string) *oidc.Error {
|
2023-03-28 14:28:56 +03:00
|
|
|
refreshToken, err := o.repo.RefreshTokenByID(ctx, token, userID)
|
2021-11-03 08:35:24 +01:00
|
|
|
if err == nil {
|
|
|
|
if refreshToken.ClientID != clientID {
|
|
|
|
return oidc.ErrInvalidClient().WithDescription("token was not issued for this client")
|
|
|
|
}
|
|
|
|
_, err = o.command.RevokeRefreshToken(ctx, refreshToken.UserID, refreshToken.ResourceOwner, refreshToken.ID)
|
2023-12-08 16:30:55 +02:00
|
|
|
if err == nil || zerrors.IsNotFound(err) {
|
2021-11-03 08:35:24 +01:00
|
|
|
return nil
|
|
|
|
}
|
2024-08-20 09:45:24 +03:00
|
|
|
return oidc.ErrServerError().WithParent(err).WithReturnParentToClient(authz.GetFeatures(ctx).DebugOIDCParentError)
|
2021-11-03 08:35:24 +01:00
|
|
|
}
|
2022-09-15 14:59:40 +02:00
|
|
|
accessToken, err := o.repo.TokenByIDs(ctx, userID, token)
|
2021-11-03 08:35:24 +01:00
|
|
|
if err != nil {
|
2023-12-08 16:30:55 +02:00
|
|
|
if zerrors.IsNotFound(err) {
|
2021-11-03 08:35:24 +01:00
|
|
|
return nil
|
|
|
|
}
|
2024-08-20 09:45:24 +03:00
|
|
|
return oidc.ErrServerError().WithParent(err).WithReturnParentToClient(authz.GetFeatures(ctx).DebugOIDCParentError)
|
2021-11-03 08:35:24 +01:00
|
|
|
}
|
|
|
|
if accessToken.ApplicationID != clientID {
|
|
|
|
return oidc.ErrInvalidClient().WithDescription("token was not issued for this client")
|
|
|
|
}
|
|
|
|
_, err = o.command.RevokeAccessToken(ctx, userID, accessToken.ResourceOwner, accessToken.ID)
|
2023-12-08 16:30:55 +02:00
|
|
|
if err == nil || zerrors.IsNotFound(err) {
|
2021-11-03 08:35:24 +01:00
|
|
|
return nil
|
|
|
|
}
|
2024-08-20 09:45:24 +03:00
|
|
|
return oidc.ErrServerError().WithParent(err).WithReturnParentToClient(authz.GetFeatures(ctx).DebugOIDCParentError)
|
2021-11-03 08:35:24 +01:00
|
|
|
}
|
|
|
|
|
2023-03-28 14:28:56 +03:00
|
|
|
func (o *OPStorage) GetRefreshTokenInfo(ctx context.Context, clientID string, token string) (userID string, tokenID string, err error) {
|
2024-01-18 08:10:49 +02:00
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
defer func() {
|
|
|
|
err = oidcError(err)
|
|
|
|
span.EndWithError(err)
|
|
|
|
}()
|
|
|
|
|
2023-07-17 14:33:37 +02:00
|
|
|
plainToken, err := o.decryptGrant(token)
|
|
|
|
if err != nil {
|
|
|
|
return "", "", op.ErrInvalidRefreshToken
|
|
|
|
}
|
|
|
|
if strings.HasPrefix(plainToken, command.IDPrefixV2) {
|
|
|
|
oidcSession, err := o.command.OIDCSessionByRefreshToken(ctx, plainToken)
|
|
|
|
if err != nil {
|
|
|
|
return "", "", op.ErrInvalidRefreshToken
|
|
|
|
}
|
|
|
|
return oidcSession.UserID, oidcSession.OIDCRefreshTokenID(oidcSession.RefreshTokenID), nil
|
|
|
|
}
|
2023-03-28 14:28:56 +03:00
|
|
|
refreshToken, err := o.repo.RefreshTokenByToken(ctx, token)
|
|
|
|
if err != nil {
|
|
|
|
return "", "", op.ErrInvalidRefreshToken
|
|
|
|
}
|
|
|
|
if refreshToken.ClientID != clientID {
|
|
|
|
return "", "", oidc.ErrInvalidClient().WithDescription("token was not issued for this client")
|
|
|
|
}
|
|
|
|
return refreshToken.UserID, refreshToken.ID, nil
|
|
|
|
}
|
|
|
|
|
2021-12-17 16:11:18 +01:00
|
|
|
func (o *OPStorage) assertProjectRoleScopes(ctx context.Context, clientID string, scopes []string) ([]string, error) {
|
2020-10-16 07:49:38 +02:00
|
|
|
for _, scope := range scopes {
|
|
|
|
if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
|
|
|
|
return scopes, nil
|
|
|
|
}
|
|
|
|
}
|
2024-04-22 11:30:56 +02:00
|
|
|
|
|
|
|
project, err := o.query.ProjectByOIDCClientID(ctx, clientID)
|
2021-12-17 16:11:18 +01:00
|
|
|
if err != nil {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "OIDC-w4wIn", "Errors.Internal")
|
2021-12-17 16:11:18 +01:00
|
|
|
}
|
|
|
|
if !project.ProjectRoleAssertion {
|
|
|
|
return scopes, nil
|
|
|
|
}
|
2021-11-26 07:57:05 +01:00
|
|
|
projectIDQuery, err := query.NewProjectRoleProjectIDSearchQuery(project.ID)
|
2021-11-04 13:46:15 +01:00
|
|
|
if err != nil {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowInternal(err, "OIDC-Cyc78", "Errors.Internal")
|
2021-11-04 13:46:15 +01:00
|
|
|
}
|
2023-11-20 16:21:08 +01:00
|
|
|
roles, err := o.query.SearchProjectRoles(ctx, true, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
|
2020-10-16 07:49:38 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-11-04 13:46:15 +01:00
|
|
|
for _, role := range roles.ProjectRoles {
|
2020-10-16 07:49:38 +02:00
|
|
|
scopes = append(scopes, ScopeProjectRolePrefix+role.Key)
|
|
|
|
}
|
|
|
|
return scopes, nil
|
|
|
|
}
|
2022-02-08 09:37:28 +01:00
|
|
|
|
2023-07-10 15:27:00 +02:00
|
|
|
func (o *OPStorage) assertProjectRoleScopesByProject(ctx context.Context, project *query.Project, scopes []string) ([]string, error) {
|
|
|
|
for _, scope := range scopes {
|
|
|
|
if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
|
|
|
|
return scopes, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !project.ProjectRoleAssertion {
|
|
|
|
return scopes, nil
|
|
|
|
}
|
|
|
|
projectIDQuery, err := query.NewProjectRoleProjectIDSearchQuery(project.ID)
|
|
|
|
if err != nil {
|
2023-12-08 16:30:55 +02:00
|
|
|
return nil, zerrors.ThrowInternal(err, "OIDC-Cyc78", "Errors.Internal")
|
2023-07-10 15:27:00 +02:00
|
|
|
}
|
2023-11-20 16:21:08 +01:00
|
|
|
roles, err := o.query.SearchProjectRoles(ctx, true, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
|
2023-07-10 15:27:00 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
for _, role := range roles.ProjectRoles {
|
|
|
|
scopes = append(scopes, ScopeProjectRolePrefix+role.Key)
|
|
|
|
}
|
|
|
|
return scopes, nil
|
|
|
|
}
|
|
|
|
|
2023-04-03 14:26:51 +02:00
|
|
|
func (o *OPStorage) assertClientScopesForPAT(ctx context.Context, token *model.TokenView, clientID, projectID string) error {
|
2022-02-08 09:37:28 +01:00
|
|
|
token.Audience = append(token.Audience, clientID)
|
|
|
|
projectIDQuery, err := query.NewProjectRoleProjectIDSearchQuery(projectID)
|
|
|
|
if err != nil {
|
2023-12-08 16:30:55 +02:00
|
|
|
return zerrors.ThrowInternal(err, "OIDC-Cyc78", "Errors.Internal")
|
2022-02-08 09:37:28 +01:00
|
|
|
}
|
2023-11-20 16:21:08 +01:00
|
|
|
roles, err := o.query.SearchProjectRoles(ctx, true, &query.ProjectRoleSearchQueries{Queries: []query.SearchQuery{projectIDQuery}})
|
2022-02-08 09:37:28 +01:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
for _, role := range roles.ProjectRoles {
|
|
|
|
token.Scopes = append(token.Scopes, ScopeProjectRolePrefix+role.Key)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2022-03-24 14:00:24 +01:00
|
|
|
|
|
|
|
func setContextUserSystem(ctx context.Context) context.Context {
|
|
|
|
data := authz.CtxData{
|
|
|
|
UserID: "SYSTEM",
|
|
|
|
}
|
|
|
|
return authz.SetCtxData(ctx, data)
|
|
|
|
}
|
2022-09-27 11:53:49 +01:00
|
|
|
|
2023-07-10 15:27:00 +02:00
|
|
|
func CreateErrorCallbackURL(authReq op.AuthRequest, reason, description, uri string, authorizer op.Authorizer) (string, error) {
|
|
|
|
e := struct {
|
|
|
|
Error string `schema:"error"`
|
|
|
|
Description string `schema:"error_description,omitempty"`
|
|
|
|
URI string `schema:"error_uri,omitempty"`
|
|
|
|
State string `schema:"state,omitempty"`
|
|
|
|
}{
|
|
|
|
Error: reason,
|
|
|
|
Description: description,
|
|
|
|
URI: uri,
|
|
|
|
State: authReq.GetState(),
|
|
|
|
}
|
|
|
|
callback, err := op.AuthResponseURL(authReq.GetRedirectURI(), authReq.GetResponseType(), authReq.GetResponseMode(), e, authorizer.Encoder())
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return callback, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func CreateCodeCallbackURL(ctx context.Context, authReq op.AuthRequest, authorizer op.Authorizer) (string, error) {
|
|
|
|
code, err := op.CreateAuthRequestCode(ctx, authReq, authorizer.Storage(), authorizer.Crypto())
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
codeResponse := struct {
|
|
|
|
code string
|
|
|
|
state string
|
|
|
|
}{
|
|
|
|
code: code,
|
|
|
|
state: authReq.GetState(),
|
|
|
|
}
|
|
|
|
callback, err := op.AuthResponseURL(authReq.GetRedirectURI(), authReq.GetResponseType(), authReq.GetResponseMode(), &codeResponse, authorizer.Encoder())
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return callback, err
|
|
|
|
}
|
|
|
|
|
2024-05-16 08:07:56 +03:00
|
|
|
func (s *Server) CreateTokenCallbackURL(ctx context.Context, req op.AuthRequest) (string, error) {
|
|
|
|
provider := s.Provider()
|
|
|
|
opClient, err := provider.Storage().GetClientByClientID(ctx, req.GetClientID())
|
2023-07-10 15:27:00 +02:00
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
2024-05-16 08:07:56 +03:00
|
|
|
client, ok := opClient.(*Client)
|
|
|
|
if !ok {
|
|
|
|
return "", zerrors.ThrowInternal(nil, "OIDC-waeN6", "Error.Internal")
|
|
|
|
}
|
|
|
|
|
|
|
|
session, state, err := s.command.CreateOIDCSessionFromAuthRequest(
|
|
|
|
setContextUserSystem(ctx),
|
|
|
|
req.GetID(),
|
|
|
|
implicitFlowComplianceChecker(),
|
|
|
|
slices.Contains(client.GrantTypes(), oidc.GrantTypeRefreshToken),
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
2024-05-31 12:10:18 +02:00
|
|
|
resp, err := s.accessTokenResponseFromSession(ctx, client, session, state, client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion)
|
2023-07-10 15:27:00 +02:00
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
2024-05-16 08:07:56 +03:00
|
|
|
callback, err := op.AuthResponseURL(req.GetRedirectURI(), req.GetResponseType(), req.GetResponseMode(), resp, provider.Encoder())
|
2023-07-10 15:27:00 +02:00
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return callback, err
|
|
|
|
}
|
2024-05-16 08:07:56 +03:00
|
|
|
|
|
|
|
func implicitFlowComplianceChecker() command.AuthRequestComplianceChecker {
|
|
|
|
return func(_ context.Context, authReq *command.AuthRequestWriteModel) error {
|
|
|
|
if err := authReq.CheckAuthenticated(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *Server) authorizeCallbackHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
authorizer := s.Provider()
|
2024-05-23 07:35:10 +02:00
|
|
|
authReq, err := func(ctx context.Context) (authReq *AuthRequest, err error) {
|
|
|
|
ctx, span := tracing.NewSpan(ctx)
|
2024-05-16 08:07:56 +03:00
|
|
|
r = r.WithContext(ctx)
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
|
|
|
id, err := op.ParseAuthorizeCallbackRequest(r)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2024-05-23 07:35:10 +02:00
|
|
|
authReq, err = s.getAuthRequestV1ByID(ctx, id)
|
2024-05-16 08:07:56 +03:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if !authReq.Done() {
|
|
|
|
return authReq, oidc.ErrInteractionRequired().WithDescription("Unfortunately, the user may be not logged in and/or additional interaction is required.")
|
|
|
|
}
|
|
|
|
return authReq, s.authResponse(authReq, authorizer, w, r)
|
2024-05-23 07:35:10 +02:00
|
|
|
}(r.Context())
|
2024-05-16 08:07:56 +03:00
|
|
|
if err != nil {
|
2024-07-04 16:11:06 +02:00
|
|
|
// we need to make sure there's no empty interface passed
|
|
|
|
if authReq == nil {
|
|
|
|
op.AuthRequestError(w, r, nil, err, authorizer)
|
|
|
|
return
|
|
|
|
}
|
2024-05-16 08:07:56 +03:00
|
|
|
op.AuthRequestError(w, r, authReq, err, authorizer)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-05-23 07:35:10 +02:00
|
|
|
func (s *Server) authResponse(authReq *AuthRequest, authorizer op.Authorizer, w http.ResponseWriter, r *http.Request) (err error) {
|
2024-05-16 08:07:56 +03:00
|
|
|
ctx, span := tracing.NewSpan(r.Context())
|
|
|
|
r = r.WithContext(ctx)
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
|
|
|
client, err := authorizer.Storage().GetClientByClientID(ctx, authReq.GetClientID())
|
|
|
|
if err != nil {
|
|
|
|
op.AuthRequestError(w, r, authReq, err, authorizer)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if authReq.GetResponseType() == oidc.ResponseTypeCode {
|
|
|
|
op.AuthResponseCode(w, r, authReq, authorizer)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return s.authResponseToken(authReq, authorizer, client, w, r)
|
|
|
|
}
|
|
|
|
|
2024-05-23 07:35:10 +02:00
|
|
|
func (s *Server) authResponseToken(authReq *AuthRequest, authorizer op.Authorizer, opClient op.Client, w http.ResponseWriter, r *http.Request) (err error) {
|
2024-05-16 08:07:56 +03:00
|
|
|
ctx, span := tracing.NewSpan(r.Context())
|
|
|
|
r = r.WithContext(ctx)
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
|
|
|
client, ok := opClient.(*Client)
|
|
|
|
if !ok {
|
|
|
|
return zerrors.ThrowInternal(nil, "OIDC-waeN6", "Error.Internal")
|
|
|
|
}
|
|
|
|
|
|
|
|
scope := authReq.GetScopes()
|
|
|
|
session, err := s.command.CreateOIDCSession(ctx,
|
2024-05-23 07:35:10 +02:00
|
|
|
authReq.UserID,
|
|
|
|
authReq.UserOrgID,
|
2024-05-16 08:07:56 +03:00
|
|
|
client.client.ClientID,
|
|
|
|
scope,
|
2024-05-23 07:35:10 +02:00
|
|
|
authReq.Audience,
|
|
|
|
authReq.AuthMethods(),
|
|
|
|
authReq.AuthTime,
|
2024-05-16 08:07:56 +03:00
|
|
|
authReq.GetNonce(),
|
2024-05-23 07:35:10 +02:00
|
|
|
authReq.PreferredLanguage,
|
2024-07-03 09:43:34 +02:00
|
|
|
authReq.ToUserAgent(),
|
2024-05-23 07:35:10 +02:00
|
|
|
domain.TokenReasonAuthRequest,
|
|
|
|
nil,
|
2024-05-16 08:07:56 +03:00
|
|
|
slices.Contains(scope, oidc.ScopeOfflineAccess),
|
2024-09-03 15:19:00 +02:00
|
|
|
authReq.SessionID,
|
2024-05-16 08:07:56 +03:00
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
op.AuthRequestError(w, r, authReq, err, authorizer)
|
|
|
|
return err
|
|
|
|
}
|
2024-05-31 12:10:18 +02:00
|
|
|
resp, err := s.accessTokenResponseFromSession(ctx, client, session, authReq.GetState(), client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion)
|
2024-05-16 08:07:56 +03:00
|
|
|
if err != nil {
|
|
|
|
op.AuthRequestError(w, r, authReq, err, authorizer)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if authReq.GetResponseMode() == oidc.ResponseModeFormPost {
|
|
|
|
if err = op.AuthResponseFormPost(w, authReq.GetRedirectURI(), resp, authorizer.Encoder()); err != nil {
|
|
|
|
op.AuthRequestError(w, r, authReq, err, authorizer)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
callback, err := op.AuthResponseURL(authReq.GetRedirectURI(), authReq.GetResponseType(), authReq.GetResponseMode(), resp, authorizer.Encoder())
|
|
|
|
if err != nil {
|
|
|
|
op.AuthRequestError(w, r, authReq, err, authorizer)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
http.Redirect(w, r, callback, http.StatusFound)
|
|
|
|
return nil
|
|
|
|
}
|