zitadel/internal/query/oidc_client.go

package query

import (
	"context"
	"database/sql"
	_ "embed"
	"errors"
	"time"

	"github.com/zitadel/zitadel/internal/api/authz"
	http_util "github.com/zitadel/zitadel/internal/api/http"
	"github.com/zitadel/zitadel/internal/api/ui/console/path"
	"github.com/zitadel/zitadel/internal/database"
	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/telemetry/tracing"
	"github.com/zitadel/zitadel/internal/zerrors"
)

type OIDCClient struct {
	InstanceID               string                     `json:"instance_id,omitempty"`
	AppID                    string                     `json:"app_id,omitempty"`
	State                    domain.AppState            `json:"state,omitempty"`
	ClientID                 string                     `json:"client_id,omitempty"`
	BackChannelLogoutURI     string                     `json:"back_channel_logout_uri,omitempty"`
	HashedSecret             string                     `json:"client_secret,omitempty"`
	RedirectURIs             []string                   `json:"redirect_uris,omitempty"`
	ResponseTypes            []domain.OIDCResponseType  `json:"response_types,omitempty"`
	GrantTypes               []domain.OIDCGrantType     `json:"grant_types,omitempty"`
	ApplicationType          domain.OIDCApplicationType `json:"application_type,omitempty"`
	AuthMethodType           domain.OIDCAuthMethodType  `json:"auth_method_type,omitempty"`
	PostLogoutRedirectURIs   []string                   `json:"post_logout_redirect_uris,omitempty"`
	IsDevMode                bool                       `json:"is_dev_mode,omitempty"`
	AccessTokenType          domain.OIDCTokenType       `json:"access_token_type,omitempty"`
	AccessTokenRoleAssertion bool                       `json:"access_token_role_assertion,omitempty"`
	IDTokenRoleAssertion     bool                       `json:"id_token_role_assertion,omitempty"`
	IDTokenUserinfoAssertion bool                       `json:"id_token_userinfo_assertion,omitempty"`
	ClockSkew                time.Duration              `json:"clock_skew,omitempty"`
	AdditionalOrigins        []string                   `json:"additional_origins,omitempty"`
	PublicKeys               map[string][]byte          `json:"public_keys,omitempty"`
	ProjectID                string                     `json:"project_id,omitempty"`
	ProjectRoleAssertion     bool                       `json:"project_role_assertion,omitempty"`
	ProjectRoleKeys          []string                   `json:"project_role_keys,omitempty"`
	Settings                 *OIDCSettings              `json:"settings,omitempty"`
}

//go:embed oidc_client_by_id.sql
var oidcClientQuery string

func (q *Queries) ActiveOIDCClientByID(ctx context.Context, clientID string, getKeys bool) (client *OIDCClient, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	client, err = database.QueryJSONObject[OIDCClient](ctx, q.client, oidcClientQuery,
		authz.GetInstance(ctx).InstanceID(), clientID, getKeys,
	)
	if errors.Is(err, sql.ErrNoRows) {
		return nil, zerrors.ThrowNotFound(err, "QUERY-wu6Ee", "Errors.App.NotFound")
	}
	if err != nil {
		return nil, zerrors.ThrowInternal(err, "QUERY-ieR7R", "Errors.Internal")
	}
	if authz.GetInstance(ctx).ConsoleClientID() == clientID {
		client.RedirectURIs = append(client.RedirectURIs, http_util.DomainContext(ctx).Origin()+path.RedirectPath)
		client.PostLogoutRedirectURIs = append(client.PostLogoutRedirectURIs, http_util.DomainContext(ctx).Origin()+path.PostLogoutPath)
	}
	return client, err
}
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`package query`

			`import (`
			`"context"`
			`"database/sql"`
			`_ "embed"`
			`"errors"`
			`"time"`

			`"github.com/zitadel/zitadel/internal/api/authz"`
feat: trusted (instance) domains (#8369) # Which Problems Are Solved ZITADEL currently selects the instance context based on a HTTP header (see https://github.com/zitadel/zitadel/issues/8279#issue-2399959845 and checks it against the list of instance domains. Let's call it instance or API domain. For any context based URL (e.g. OAuth, OIDC, SAML endpoints, links in emails, ...) the requested domain (instance domain) will be used. Let's call it the public domain. In cases of proxied setups, all exposed domains (public domains) require the domain to be managed as instance domain. This can either be done using the "ExternalDomain" in the runtime config or via system API, which requires a validation through CustomerPortal on zitadel.cloud. # How the Problems Are Solved - Two new headers / header list are added: - `InstanceHostHeaders`: an ordered list (first sent wins), which will be used to match the instance. (For backward compatibility: the `HTTP1HostHeader`, `HTTP2HostHeader` and `forwarded`, `x-forwarded-for`, `x-forwarded-host` are checked afterwards as well) - `PublicHostHeaders`: an ordered list (first sent wins), which will be used as public host / domain. This will be checked against a list of trusted domains on the instance. - The middleware intercepts all requests to the API and passes a `DomainCtx` object with the hosts and protocol into the context (previously only a computed `origin` was passed) - HTTP / GRPC server do not longer try to match the headers to instances themself, but use the passed `http.DomainContext` in their interceptors. - The `RequestedHost` and `RequestedDomain` from authz.Instance are removed in favor of the `http.DomainContext` - When authenticating to or signing out from Console UI, the current `http.DomainContext(ctx).Origin` (already checked by instance interceptor for validity) is used to compute and dynamically add a `redirect_uri` and `post_logout_redirect_uri`. - Gateway passes all configured host headers (previously only did `x-zitadel-*`) - Admin API allows to manage trusted domain # Additional Changes None # Additional Context - part of #8279 - open topics: - "single-instance" mode - Console UI 2024-07-31 15:00:38 +00:00			`http_util "github.com/zitadel/zitadel/internal/api/http"`
			`"github.com/zitadel/zitadel/internal/api/ui/console/path"`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`"github.com/zitadel/zitadel/internal/database"`
			`"github.com/zitadel/zitadel/internal/domain"`
			`"github.com/zitadel/zitadel/internal/telemetry/tracing"`
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com> 2023-12-08 14:30:55 +00:00			`"github.com/zitadel/zitadel/internal/zerrors"`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`)`

			`type OIDCClient struct {`
			InstanceID string `json:"instance_id,omitempty"`
			AppID string `json:"app_id,omitempty"`
			State domain.AppState `json:"state,omitempty"`
			ClientID string `json:"client_id,omitempty"`
feat(OIDC): add back channel logout (#8837) # Which Problems Are Solved Currently ZITADEL supports RP-initiated logout for clients. Back-channel logout ensures that user sessions are terminated across all connected applications, even if the user closes their browser or loses connectivity providing a more secure alternative for certain use cases. # How the Problems Are Solved If the feature is activated and the client used for the authentication has a back_channel_logout_uri configured, a `session_logout.back_channel` will be registered. Once a user terminates their session, a (notification) handler will send a SET (form POST) to the registered uri containing a logout_token (with the user's ID and session ID). - A new feature "back_channel_logout" is added on system and instance level - A `back_channel_logout_uri` can be managed on OIDC applications - Added a `session_logout` aggregate to register and inform about sent `back_channel` notifications - Added a `SecurityEventToken` channel and `Form`message type in the notification handlers - Added `TriggeredAtOrigin` fields to `HumanSignedOut` and `TerminateSession` events for notification handling - Exported various functions and types in the `oidc` package to be able to reuse for token signing in the back_channel notifier. - To prevent that current existing session termination events will be handled, a setup step is added to set the `current_states` for the `projections.notifications_back_channel_logout` to the current position - [x] requires https://github.com/zitadel/oidc/pull/671 # Additional Changes - Updated all OTEL dependencies to v1.29.0, since OIDC already updated some of them to that version. - Single Session Termination feature is correctly checked (fixed feature mapping) # Additional Context - closes https://github.com/zitadel/zitadel/issues/8467 - TODO: - Documentation - UI to be done: https://github.com/zitadel/zitadel/issues/8469 --------- Co-authored-by: Hidde Wieringa <hidde@hiddewieringa.nl> 2024-10-31 14:57:17 +00:00			BackChannelLogoutURI string `json:"back_channel_logout_uri,omitempty"`
feat(crypto): use passwap for machine and app secrets (#7657) * feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2024-04-05 09:35:49 +00:00			HashedSecret string `json:"client_secret,omitempty"`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			RedirectURIs []string `json:"redirect_uris,omitempty"`
			ResponseTypes []domain.OIDCResponseType `json:"response_types,omitempty"`
			GrantTypes []domain.OIDCGrantType `json:"grant_types,omitempty"`
			ApplicationType domain.OIDCApplicationType `json:"application_type,omitempty"`
			AuthMethodType domain.OIDCAuthMethodType `json:"auth_method_type,omitempty"`
			PostLogoutRedirectURIs []string `json:"post_logout_redirect_uris,omitempty"`
			IsDevMode bool `json:"is_dev_mode,omitempty"`
			AccessTokenType domain.OIDCTokenType `json:"access_token_type,omitempty"`
			AccessTokenRoleAssertion bool `json:"access_token_role_assertion,omitempty"`
			IDTokenRoleAssertion bool `json:"id_token_role_assertion,omitempty"`
			IDTokenUserinfoAssertion bool `json:"id_token_userinfo_assertion,omitempty"`
			ClockSkew time.Duration `json:"clock_skew,omitempty"`
			AdditionalOrigins []string `json:"additional_origins,omitempty"`
			PublicKeys map[string][]byte `json:"public_keys,omitempty"`
			ProjectID string `json:"project_id,omitempty"`
feat(oidc): optimize the userinfo endpoint (#7706) * feat(oidc): optimize the userinfo endpoint * store project ID in the access token * query for projectID if not in token * add scope based tests * Revert "store project ID in the access token" This reverts commit 5f0262f23988e7f62d415d0e4a02a705f6ad5197. * query project role assertion * use project role assertion setting to return roles * workaround eventual consistency and handle PAT * do not append empty project id 2024-04-09 13:15:35 +00:00			ProjectRoleAssertion bool `json:"project_role_assertion,omitempty"`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			ProjectRoleKeys []string `json:"project_role_keys,omitempty"`
fix(oidc): return clients without instance settings (#7036) 2023-12-07 09:43:45 +00:00			Settings *OIDCSettings `json:"settings,omitempty"`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`}`

feat(oidc): optimize the userinfo endpoint (#7706) * feat(oidc): optimize the userinfo endpoint * store project ID in the access token * query for projectID if not in token * add scope based tests * Revert "store project ID in the access token" This reverts commit 5f0262f23988e7f62d415d0e4a02a705f6ad5197. * query project role assertion * use project role assertion setting to return roles * workaround eventual consistency and handle PAT * do not append empty project id 2024-04-09 13:15:35 +00:00			`//go:embed oidc_client_by_id.sql`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`var oidcClientQuery string`

fix: correctly check app state on authentication (#8630) # Which Problems Are Solved In Zitadel, even after an organization is deactivated, associated projects, respectively their applications remain active. Users across other organizations can still log in and access through these applications, leading to unauthorized access. Additionally, if a project was deactivated access to applications was also still possible. # How the Problems Are Solved - Correctly check the status of the organization and related project. (Corresponding functions have been renamed to `Active...`) 2024-09-17 11:34:14 +00:00			`func (q Queries) ActiveOIDCClientByID(ctx context.Context, clientID string, getKeys bool) (client OIDCClient, err error) {`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`ctx, span := tracing.NewSpan(ctx)`
			`defer func() { span.EndWithError(err) }()`

			`client, err = database.QueryJSONObject[OIDCClient](ctx, q.client, oidcClientQuery,`
			`authz.GetInstance(ctx).InstanceID(), clientID, getKeys,`
			`)`
			`if errors.Is(err, sql.ErrNoRows) {`
			`return nil, zerrors.ThrowNotFound(err, "QUERY-wu6Ee", "Errors.App.NotFound")`
			`}`
			`if err != nil {`
			`return nil, zerrors.ThrowInternal(err, "QUERY-ieR7R", "Errors.Internal")`
			`}`
feat: trusted (instance) domains (#8369) # Which Problems Are Solved ZITADEL currently selects the instance context based on a HTTP header (see https://github.com/zitadel/zitadel/issues/8279#issue-2399959845 and checks it against the list of instance domains. Let's call it instance or API domain. For any context based URL (e.g. OAuth, OIDC, SAML endpoints, links in emails, ...) the requested domain (instance domain) will be used. Let's call it the public domain. In cases of proxied setups, all exposed domains (public domains) require the domain to be managed as instance domain. This can either be done using the "ExternalDomain" in the runtime config or via system API, which requires a validation through CustomerPortal on zitadel.cloud. # How the Problems Are Solved - Two new headers / header list are added: - `InstanceHostHeaders`: an ordered list (first sent wins), which will be used to match the instance. (For backward compatibility: the `HTTP1HostHeader`, `HTTP2HostHeader` and `forwarded`, `x-forwarded-for`, `x-forwarded-host` are checked afterwards as well) - `PublicHostHeaders`: an ordered list (first sent wins), which will be used as public host / domain. This will be checked against a list of trusted domains on the instance. - The middleware intercepts all requests to the API and passes a `DomainCtx` object with the hosts and protocol into the context (previously only a computed `origin` was passed) - HTTP / GRPC server do not longer try to match the headers to instances themself, but use the passed `http.DomainContext` in their interceptors. - The `RequestedHost` and `RequestedDomain` from authz.Instance are removed in favor of the `http.DomainContext` - When authenticating to or signing out from Console UI, the current `http.DomainContext(ctx).Origin` (already checked by instance interceptor for validity) is used to compute and dynamically add a `redirect_uri` and `post_logout_redirect_uri`. - Gateway passes all configured host headers (previously only did `x-zitadel-*`) - Admin API allows to manage trusted domain # Additional Changes None # Additional Context - part of #8279 - open topics: - "single-instance" mode - Console UI 2024-07-31 15:00:38 +00:00			`if authz.GetInstance(ctx).ConsoleClientID() == clientID {`
			`client.RedirectURIs = append(client.RedirectURIs, http_util.DomainContext(ctx).Origin()+path.RedirectPath)`
			`client.PostLogoutRedirectURIs = append(client.PostLogoutRedirectURIs, http_util.DomainContext(ctx).Origin()+path.PostLogoutPath)`
			`}`
perf(oidc): optimize client verification (#6999) * fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f0e2254bd8beaaf97d83ad1dc01228d. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0 2023-12-05 17:01:03 +00:00			`return client, err`
			`}`