zitadel/internal/query/oidc_client_by_id.sql

with client as (
	select c.instance_id,
		c.app_id, a.state, c.client_id, c.back_channel_logout_uri, c.client_secret, c.redirect_uris, c.response_types,
		c.grant_types, c.application_type, c.auth_method_type, c.post_logout_redirect_uris, c.is_dev_mode,
		c.access_token_type, c.access_token_role_assertion, c.id_token_role_assertion,
		c.id_token_userinfo_assertion, c.clock_skew, c.additional_origins, a.project_id, p.project_role_assertion
	from projections.apps7_oidc_configs c
	join projections.apps7 a on a.id = c.app_id and a.instance_id = c.instance_id and a.state = 1
	join projections.projects4 p on p.id = a.project_id and p.instance_id = a.instance_id and p.state = 1
    join projections.orgs1 o on o.id = p.resource_owner and o.instance_id = c.instance_id and o.org_state = 1
	where c.instance_id = $1
		and c.client_id = $2
),
roles as (
	select p.project_id, json_agg(p.role_key) as project_role_keys
	from projections.project_roles4 p
	join client c on c.project_id = p.project_id
		and p.instance_id = c.instance_id
	group by p.project_id
),
keys as (
	select identifier as client_id, json_object_agg(id, encode(public_key, 'base64')) as public_keys
	from projections.authn_keys2
	where $3 = true -- when argument is false, don't waste time on trying to query for keys.
		and instance_id = $1
		and identifier = $2
		and expiration > current_timestamp
	group by identifier
),
settings as (
	select instance_id, json_build_object(
		'access_token_lifetime', access_token_lifetime,
		'id_token_lifetime', id_token_lifetime,
		'refresh_token_idle_expiration', refresh_token_idle_expiration,
		'refresh_token_expiration', refresh_token_expiration
	) as settings
	from projections.oidc_settings2
	where aggregate_id = $1
		and instance_id = $1
)

select row_to_json(r) as client from (
	select c.*, r.project_role_keys, k.public_keys, s.settings
	from client c
	left join roles r on r.project_id = c.project_id
	left join keys k on k.client_id = c.client_id
	left join settings s on s.instance_id = c.instance_id
) r;
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`with client as (`
			`select c.instance_id,`
feat(OIDC): add back channel logout (#8837) # Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl> 2024-10-31 14:57:17 +00:00			`c.app_id, a.state, c.client_id, c.back_channel_logout_uri, c.client_secret, c.redirect_uris, c.response_types,`
			`c.grant_types, c.application_type, c.auth_method_type, c.post_logout_redirect_uris, c.is_dev_mode,`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`c.access_token_type, c.access_token_role_assertion, c.id_token_role_assertion,`
feat(oidc): optimize the userinfo endpoint (#7706) * feat(oidc): optimize the userinfo endpoint * store project ID in the access token * query for projectID if not in token * add scope based tests * Revert "store project ID in the access token" This reverts commit 5f0262f23988e7f62d415d0e4a02a705f6ad5197. * query project role assertion * use project role assertion setting to return roles * workaround eventual consistency and handle PAT * do not append empty project id 2024-04-09 13:15:35 +00:00			`c.id_token_userinfo_assertion, c.clock_skew, c.additional_origins, a.project_id, p.project_role_assertion`
feat(crypto): use passwap for machine and app secrets (#7657) * feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2024-04-05 09:35:49 +00:00			`from projections.apps7_oidc_configs c`
fix: correctly check app state on authentication (#8630) # Which Problems Are Solved In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. # How the Problems Are Solved - Correctly check the status of the organization and related project. (Corresponding functions have been renamed to `Active...`) 2024-09-17 11:34:14 +00:00			`join projections.apps7 a on a.id = c.app_id and a.instance_id = c.instance_id and a.state = 1`
			`join projections.projects4 p on p.id = a.project_id and p.instance_id = a.instance_id and p.state = 1`
			`join projections.orgs1 o on o.id = p.resource_owner and o.instance_id = c.instance_id and o.org_state = 1`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`where c.instance_id = $1`
			`and c.client_id = $2`
			`),`
			`roles as (`
			`select p.project_id, json_agg(p.role_key) as project_role_keys`
			`from projections.project_roles4 p`
			`join client c on c.project_id = p.project_id`
			`and p.instance_id = c.instance_id`
			`group by p.project_id`
			`),`
			`keys as (`
			`select identifier as client_id, json_object_agg(id, encode(public_key, 'base64')) as public_keys`
			`from projections.authn_keys2`
			`where $3 = true -- when argument is false, don't waste time on trying to query for keys.`
			`and instance_id = $1`
			`and identifier = $2`
			`and expiration > current_timestamp`
			`group by identifier`
			`),`
			`settings as (`
feat(oidc): token exchange impersonation (#7516) * add token exchange feature flag * allow setting reason and actor to access tokens * impersonation * set token types and scopes in response * upgrade oidc to working draft state * fix tests * audience and scope validation * id toke and jwt as input * return id tokens * add grant type token exchange to app config * add integration tests * check and deny actors in api calls * fix instance setting tests by triggering projection on write and cleanup * insert sleep statements again * solve linting issues * add translations * pin oidc v3.15.0 * resolve comments, add event translation * fix refreshtoken test * use ValidateAuthReqScopes from oidc * apparently the linter can't make up its mind * persist actor thru refresh tokens and check in tests * remove unneeded triggers 2024-03-20 10:18:46 +00:00			`select instance_id, json_build_object(`
			`'access_token_lifetime', access_token_lifetime,`
			`'id_token_lifetime', id_token_lifetime,`
			`'refresh_token_idle_expiration', refresh_token_idle_expiration,`
			`'refresh_token_expiration', refresh_token_expiration`
			`) as settings`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`from projections.oidc_settings2`
			`where aggregate_id = $1`
			`and instance_id = $1`
			`)`

			`select row_to_json(r) as client from (`
fix(oidc): return clients without instance settings (#7036) 2023-12-07 09:43:45 +00:00			`select c.*, r.project_role_keys, k.public_keys, s.settings`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`from client c`
			`left join roles r on r.project_id = c.project_id`
			`left join keys k on k.client_id = c.client_id`
feat(oidc): optimize the userinfo endpoint (#7706) * feat(oidc): optimize the userinfo endpoint * store project ID in the access token * query for projectID if not in token * add scope based tests * Revert "store project ID in the access token" This reverts commit 5f0262f23988e7f62d415d0e4a02a705f6ad5197. * query project role assertion * use project role assertion setting to return roles * workaround eventual consistency and handle PAT * do not append empty project id 2024-04-09 13:15:35 +00:00			`left join settings s on s.instance_id = c.instance_id`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`) r;`