feat(api): add OIDC session service (#6157)

This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-12 00:17:32 +00:00 · 2023-07-10 15:27:00 +02:00
parent be1fe36776
commit 14b8cf4894
69 changed files with 5948 additions and 106 deletions
--- a/internal/query/auth_request.go
+++ b/internal/query/auth_request.go
@@ -0,0 +1,88 @@
+package query
+
+import (
+	"context"
+	"database/sql"
+	_ "embed"
+	errs "errors"
+	"fmt"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/call"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/query/projection"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+)
+
+type AuthRequest struct {
+	ID           string
+	CreationDate time.Time
+	LoginClient  string
+	ClientID     string
+	Scope        []string
+	RedirectURI  string
+	Prompt       []domain.Prompt
+	UiLocales    []string
+	LoginHint    *string
+	MaxAge       *time.Duration
+	HintUserID   *string
+}
+
+func (a *AuthRequest) checkLoginClient(ctx context.Context) error {
+	if uid := authz.GetCtxData(ctx).UserID; uid != a.LoginClient {
+		return errors.ThrowPermissionDenied(nil, "OIDCv2-aL0ag", "Errors.AuthRequest.WrongLoginClient")
+	}
+	return nil
+}
+
+//go:embed embed/auth_request_by_id.sql
+var authRequestByIDQuery string
+
+func (q *Queries) authRequestByIDQuery(ctx context.Context) string {
+	return fmt.Sprintf(authRequestByIDQuery, q.client.Timetravel(call.Took(ctx)))
+}
+
+func (q *Queries) AuthRequestByID(ctx context.Context, shouldTriggerBulk bool, id string, checkLoginClient bool) (_ *AuthRequest, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	if shouldTriggerBulk {
+		ctx = projection.AuthRequestProjection.Trigger(ctx)
+	}
+
+	var (
+		scope   database.StringArray
+		prompt  database.EnumArray[domain.Prompt]
+		locales database.StringArray
+	)
+
+	dst := new(AuthRequest)
+	err = q.client.DB.QueryRowContext(
+		ctx, q.authRequestByIDQuery(ctx),
+		id, authz.GetInstance(ctx).InstanceID(),
+	).Scan(
+		&dst.ID, &dst.CreationDate, &dst.LoginClient, &dst.ClientID, &scope, &dst.RedirectURI,
+		&prompt, &locales, &dst.LoginHint, &dst.MaxAge, &dst.HintUserID,
+	)
+	if errs.Is(err, sql.ErrNoRows) {
+		return nil, errors.ThrowNotFound(err, "QUERY-Thee9", "Errors.AuthRequest.NotExisting")
+	}
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "QUERY-Ou8ue", "Errors.Internal")
+	}
+
+	dst.Scope = scope
+	dst.Prompt = prompt
+	dst.UiLocales = locales
+
+	if checkLoginClient {
+		if err = dst.checkLoginClient(ctx); err != nil {
+			return nil, err
+		}
+	}
+
+	return dst, nil
+}
--- a/internal/query/auth_request_test.go
+++ b/internal/query/auth_request_test.go
@@ -0,0 +1,180 @@
+package query
+
+import (
+	"database/sql"
+	"database/sql/driver"
+	_ "embed"
+	"fmt"
+	"regexp"
+	"testing"
+	"time"
+
+	"github.com/muhlemmer/gu"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/query/projection"
+)
+
+func TestQueries_AuthRequestByID(t *testing.T) {
+	expQuery := regexp.QuoteMeta(fmt.Sprintf(
+		authRequestByIDQuery,
+		asOfSystemTime,
+	))
+
+	cols := []string{
+		projection.AuthRequestColumnID,
+		projection.AuthRequestColumnCreationDate,
+		projection.AuthRequestColumnLoginClient,
+		projection.AuthRequestColumnClientID,
+		projection.AuthRequestColumnScope,
+		projection.AuthRequestColumnRedirectURI,
+		projection.AuthRequestColumnPrompt,
+		projection.AuthRequestColumnUILocales,
+		projection.AuthRequestColumnLoginHint,
+		projection.AuthRequestColumnMaxAge,
+		projection.AuthRequestColumnHintUserID,
+	}
+	type args struct {
+		shouldTriggerBulk bool
+		id                string
+		checkLoginClient  bool
+	}
+	tests := []struct {
+		name    string
+		args    args
+		expect  sqlExpectation
+		want    *AuthRequest
+		wantErr error
+	}{
+		{
+			name: "success, all values",
+			args: args{
+				shouldTriggerBulk: false,
+				id:                "123",
+				checkLoginClient:  true,
+			},
+			expect: mockQuery(expQuery, cols, []driver.Value{
+				"id",
+				testNow,
+				"loginClient",
+				"clientID",
+				database.StringArray{"a", "b", "c"},
+				"example.com",
+				database.EnumArray[domain.Prompt]{domain.PromptLogin, domain.PromptConsent},
+				database.StringArray{"en", "fi"},
+				"me@example.com",
+				int64(time.Minute),
+				"userID",
+			}, "123", "instanceID"),
+			want: &AuthRequest{
+				ID:           "id",
+				CreationDate: testNow,
+				LoginClient:  "loginClient",
+				ClientID:     "clientID",
+				Scope:        []string{"a", "b", "c"},
+				RedirectURI:  "example.com",
+				Prompt:       []domain.Prompt{domain.PromptLogin, domain.PromptConsent},
+				UiLocales:    []string{"en", "fi"},
+				LoginHint:    gu.Ptr("me@example.com"),
+				MaxAge:       gu.Ptr(time.Minute),
+				HintUserID:   gu.Ptr("userID"),
+			},
+		},
+		{
+			name: "success, null values",
+			args: args{
+				shouldTriggerBulk: false,
+				id:                "123",
+				checkLoginClient:  true,
+			},
+			expect: mockQuery(expQuery, cols, []driver.Value{
+				"id",
+				testNow,
+				"loginClient",
+				"clientID",
+				database.StringArray{"a", "b", "c"},
+				"example.com",
+				database.EnumArray[domain.Prompt]{domain.PromptLogin, domain.PromptConsent},
+				database.StringArray{"en", "fi"},
+				sql.NullString{},
+				sql.NullInt64{},
+				sql.NullString{},
+			}, "123", "instanceID"),
+			want: &AuthRequest{
+				ID:           "id",
+				CreationDate: testNow,
+				LoginClient:  "loginClient",
+				ClientID:     "clientID",
+				Scope:        []string{"a", "b", "c"},
+				RedirectURI:  "example.com",
+				Prompt:       []domain.Prompt{domain.PromptLogin, domain.PromptConsent},
+				UiLocales:    []string{"en", "fi"},
+				LoginHint:    nil,
+				MaxAge:       nil,
+				HintUserID:   nil,
+			},
+		},
+		{
+			name: "no rows",
+			args: args{
+				shouldTriggerBulk: false,
+				id:                "123",
+			},
+			expect:  mockQuery(expQuery, cols, nil, "123", "instanceID"),
+			wantErr: errors.ThrowNotFound(sql.ErrNoRows, "QUERY-Thee9", "Errors.AuthRequest.NotExisting"),
+		},
+		{
+			name: "query error",
+			args: args{
+				shouldTriggerBulk: false,
+				id:                "123",
+			},
+			expect:  mockQueryErr(expQuery, sql.ErrConnDone, "123", "instanceID"),
+			wantErr: errors.ThrowInternal(sql.ErrConnDone, "QUERY-Ou8ue", "Errors.Internal"),
+		},
+		{
+			name: "wrong login client",
+			args: args{
+				shouldTriggerBulk: false,
+				id:                "123",
+				checkLoginClient:  true,
+			},
+			expect: mockQuery(expQuery, cols, []driver.Value{
+				"id",
+				testNow,
+				"wrongLoginClient",
+				"clientID",
+				database.StringArray{"a", "b", "c"},
+				"example.com",
+				database.EnumArray[domain.Prompt]{domain.PromptLogin, domain.PromptConsent},
+				database.StringArray{"en", "fi"},
+				sql.NullString{},
+				sql.NullInt64{},
+				sql.NullString{},
+			}, "123", "instanceID"),
+			wantErr: errors.ThrowPermissionDeniedf(nil, "OIDCv2-aL0ag", "Errors.AuthRequest.WrongLoginClient"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			execMock(t, tt.expect, func(db *sql.DB) {
+				q := &Queries{
+					client: &database.DB{
+						DB:       db,
+						Database: &prepareDB{},
+					},
+				}
+				ctx := authz.NewMockContext("instanceID", "orgID", "loginClient")
+
+				got, err := q.AuthRequestByID(ctx, tt.args.shouldTriggerBulk, tt.args.id, tt.args.checkLoginClient)
+				require.ErrorIs(t, err, tt.wantErr)
+				assert.Equal(t, tt.want, got)
+			})
+		})
+	}
+}
--- a/internal/query/embed/auth_request_by_id.sql
+++ b/internal/query/embed/auth_request_by_id.sql
@@ -0,0 +1,15 @@
+select
+    id,
+    creation_date,
+    login_client,
+    client_id,
+    scope,
+    redirect_uri,
+    prompt,
+    ui_locales,
+    login_hint,
+    max_age,
+    hint_user_id
+from projections.auth_requests %s
+where id = $1 and instance_id = $2
+limit 1;
--- a/internal/query/prepare_test.go
+++ b/internal/query/prepare_test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/DATA-DOG/go-sqlmock"
 	sq "github.com/Masterminds/squirrel"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 var (
@@ -74,9 +75,9 @@ type checkErr func(error) (err error, ok bool)

 type sqlExpectation func(sqlmock.Sqlmock) sqlmock.Sqlmock

-func mockQuery(stmt string, cols []string, row []driver.Value) func(m sqlmock.Sqlmock) sqlmock.Sqlmock {
+func mockQuery(stmt string, cols []string, row []driver.Value, args ...driver.Value) func(m sqlmock.Sqlmock) sqlmock.Sqlmock {
 	return func(m sqlmock.Sqlmock) sqlmock.Sqlmock {
-		q := m.ExpectQuery(stmt)
+		q := m.ExpectQuery(stmt).WithArgs(args...)
 		result := sqlmock.NewRows(cols)
 		if len(row) > 0 {
 			result.AddRow(row...)
@@ -111,6 +112,15 @@ func mockQueryErr(stmt string, err error, args ...driver.Value) func(m sqlmock.S
 	}
 }

+func execMock(t testing.TB, exp sqlExpectation, run func(db *sql.DB)) {
+	db, mock, err := sqlmock.New()
+	require.NoError(t, err)
+	defer db.Close()
+	mock = exp(mock)
+	run(db)
+	assert.NoError(t, mock.ExpectationsWereMet())
+}
+
 var (
 	rowType           = reflect.TypeOf(&sql.Row{})
 	rowsType          = reflect.TypeOf(&sql.Rows{})
@@ -317,7 +327,9 @@ func TestValidatePrepare(t *testing.T) {

 type prepareDB struct{}

-func (_ *prepareDB) Timetravel(time.Duration) string { return " AS OF SYSTEM TIME '-1 ms' " }
+const asOfSystemTime = " AS OF SYSTEM TIME '-1 ms' "
+
+func (*prepareDB) Timetravel(time.Duration) string { return asOfSystemTime }

 var defaultPrepareArgs = []reflect.Value{reflect.ValueOf(context.Background()), reflect.ValueOf(new(prepareDB))}

--- a/internal/query/projection/auth_request.go
+++ b/internal/query/projection/auth_request.go
@@ -0,0 +1,142 @@
+package projection
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/handler"
+	"github.com/zitadel/zitadel/internal/eventstore/handler/crdb"
+	"github.com/zitadel/zitadel/internal/repository/authrequest"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+)
+
+const (
+	AuthRequestsProjectionTable = "projections.auth_requests"
+
+	AuthRequestColumnID            = "id"
+	AuthRequestColumnCreationDate  = "creation_date"
+	AuthRequestColumnChangeDate    = "change_date"
+	AuthRequestColumnSequence      = "sequence"
+	AuthRequestColumnResourceOwner = "resource_owner"
+	AuthRequestColumnInstanceID    = "instance_id"
+	AuthRequestColumnLoginClient   = "login_client"
+	AuthRequestColumnClientID      = "client_id"
+	AuthRequestColumnRedirectURI   = "redirect_uri"
+	AuthRequestColumnScope         = "scope"
+	AuthRequestColumnPrompt        = "prompt"
+	AuthRequestColumnUILocales     = "ui_locales"
+	AuthRequestColumnMaxAge        = "max_age"
+	AuthRequestColumnLoginHint     = "login_hint"
+	AuthRequestColumnHintUserID    = "hint_user_id"
+)
+
+type authRequestProjection struct {
+	crdb.StatementHandler
+}
+
+func newAuthRequestProjection(ctx context.Context, config crdb.StatementHandlerConfig) *authRequestProjection {
+	p := new(authRequestProjection)
+	config.ProjectionName = AuthRequestsProjectionTable
+	config.Reducers = p.reducers()
+	config.InitCheck = crdb.NewMultiTableCheck(
+		crdb.NewTable([]*crdb.Column{
+			crdb.NewColumn(AuthRequestColumnID, crdb.ColumnTypeText),
+			crdb.NewColumn(AuthRequestColumnCreationDate, crdb.ColumnTypeTimestamp),
+			crdb.NewColumn(AuthRequestColumnChangeDate, crdb.ColumnTypeTimestamp),
+			crdb.NewColumn(AuthRequestColumnSequence, crdb.ColumnTypeInt64),
+			crdb.NewColumn(AuthRequestColumnResourceOwner, crdb.ColumnTypeText),
+			crdb.NewColumn(AuthRequestColumnInstanceID, crdb.ColumnTypeText),
+			crdb.NewColumn(AuthRequestColumnLoginClient, crdb.ColumnTypeText),
+			crdb.NewColumn(AuthRequestColumnClientID, crdb.ColumnTypeText),
+			crdb.NewColumn(AuthRequestColumnRedirectURI, crdb.ColumnTypeText),
+			crdb.NewColumn(AuthRequestColumnScope, crdb.ColumnTypeTextArray),
+			crdb.NewColumn(AuthRequestColumnPrompt, crdb.ColumnTypeEnumArray, crdb.Nullable()),
+			crdb.NewColumn(AuthRequestColumnUILocales, crdb.ColumnTypeTextArray, crdb.Nullable()),
+			crdb.NewColumn(AuthRequestColumnMaxAge, crdb.ColumnTypeInt64, crdb.Nullable()),
+			crdb.NewColumn(AuthRequestColumnLoginHint, crdb.ColumnTypeText, crdb.Nullable()),
+			crdb.NewColumn(AuthRequestColumnHintUserID, crdb.ColumnTypeText, crdb.Nullable()),
+		},
+			crdb.NewPrimaryKey(AuthRequestColumnInstanceID, AuthRequestColumnID),
+		),
+	)
+	p.StatementHandler = crdb.NewStatementHandler(ctx, config)
+	return p
+}
+
+func (p *authRequestProjection) reducers() []handler.AggregateReducer {
+	return []handler.AggregateReducer{
+		{
+			Aggregate: authrequest.AggregateType,
+			EventRedusers: []handler.EventReducer{
+				{
+					Event:  authrequest.AddedType,
+					Reduce: p.reduceAuthRequestAdded,
+				},
+				{
+					Event:  authrequest.SucceededType,
+					Reduce: p.reduceAuthRequestEnded,
+				},
+				{
+					Event:  authrequest.FailedType,
+					Reduce: p.reduceAuthRequestEnded,
+				},
+			},
+		},
+		{
+			Aggregate: instance.AggregateType,
+			EventRedusers: []handler.EventReducer{
+				{
+					Event:  instance.InstanceRemovedEventType,
+					Reduce: reduceInstanceRemovedHelper(AuthRequestColumnInstanceID),
+				},
+			},
+		},
+	}
+}
+
+func (p *authRequestProjection) reduceAuthRequestAdded(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*authrequest.AddedEvent)
+	if !ok {
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-Sfwfa", "reduce.wrong.event.type %s", authrequest.AddedType)
+	}
+
+	return crdb.NewCreateStatement(
+		e,
+		[]handler.Column{
+			handler.NewCol(AuthRequestColumnID, e.Aggregate().ID),
+			handler.NewCol(AuthRequestColumnInstanceID, e.Aggregate().InstanceID),
+			handler.NewCol(AuthRequestColumnCreationDate, e.CreationDate()),
+			handler.NewCol(AuthRequestColumnChangeDate, e.CreationDate()),
+			handler.NewCol(AuthRequestColumnResourceOwner, e.Aggregate().ResourceOwner),
+			handler.NewCol(AuthRequestColumnSequence, e.Sequence()),
+			handler.NewCol(AuthRequestColumnLoginClient, e.LoginClient),
+			handler.NewCol(AuthRequestColumnClientID, e.ClientID),
+			handler.NewCol(AuthRequestColumnRedirectURI, e.RedirectURI),
+			handler.NewCol(AuthRequestColumnScope, e.Scope),
+			handler.NewCol(AuthRequestColumnPrompt, e.Prompt),
+			handler.NewCol(AuthRequestColumnUILocales, e.UILocales),
+			handler.NewCol(AuthRequestColumnMaxAge, e.MaxAge),
+			handler.NewCol(AuthRequestColumnLoginHint, e.LoginHint),
+			handler.NewCol(AuthRequestColumnHintUserID, e.HintUserID),
+		},
+	), nil
+}
+
+func (p *authRequestProjection) reduceAuthRequestEnded(event eventstore.Event) (*handler.Statement, error) {
+	switch event.(type) {
+	case *authrequest.SucceededEvent,
+		*authrequest.FailedEvent:
+		break
+	default:
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-ASF3h", "reduce.wrong.event.type %s", []eventstore.EventType{authrequest.SucceededType, authrequest.FailedType})
+	}
+
+	return crdb.NewDeleteStatement(
+		event,
+		[]handler.Condition{
+			handler.NewCond(AuthRequestColumnID, event.Aggregate().ID),
+			handler.NewCond(AuthRequestColumnInstanceID, event.Aggregate().InstanceID),
+		},
+	), nil
+}
--- a/internal/query/projection/auth_request_test.go
+++ b/internal/query/projection/auth_request_test.go
@@ -0,0 +1,134 @@
+package projection
+
+import (
+	"testing"
+	"time"
+
+	"github.com/muhlemmer/gu"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/handler"
+	"github.com/zitadel/zitadel/internal/repository/authrequest"
+)
+
+func TestAuthRequestProjection_reduces(t *testing.T) {
+	type args struct {
+		event func(t *testing.T) eventstore.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		reduce func(event eventstore.Event) (*handler.Statement, error)
+		want   wantReduce
+	}{
+		{
+			name: "reduceAuthRequestAdded",
+			args: args{
+				event: getEvent(testEvent(
+					authrequest.AddedType,
+					authrequest.AggregateType,
+					[]byte(`{"login_client": "loginClient", "client_id":"clientId","redirect_uri": "redirectURI", "scope": ["openid"], "prompt": [1], "ui_locales": ["en","de"], "max_age": 0, "login_hint": "loginHint", "hint_user_id": "hintUserID"}`),
+				), authrequest.AddedEventMapper),
+			},
+			reduce: (&authRequestProjection{}).reduceAuthRequestAdded,
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("auth_request"),
+				sequence:         15,
+				previousSequence: 10,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "INSERT INTO projections.auth_requests (id, instance_id, creation_date, change_date, resource_owner, sequence, login_client, client_id, redirect_uri, scope, prompt, ui_locales, max_age, login_hint, hint_user_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15)",
+							expectedArgs: []interface{}{
+								"agg-id",
+								"instance-id",
+								anyArg{},
+								anyArg{},
+								"ro-id",
+								uint64(15),
+								"loginClient",
+								"clientId",
+								"redirectURI",
+								[]string{"openid"},
+								[]domain.Prompt{domain.PromptNone},
+								[]string{"en", "de"},
+								gu.Ptr(time.Duration(0)),
+								gu.Ptr("loginHint"),
+								gu.Ptr("hintUserID"),
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "reduceAuthRequestFailed",
+			args: args{
+				event: getEvent(testEvent(
+					authrequest.FailedType,
+					authrequest.AggregateType,
+					[]byte(`{"reason": 0}`),
+				), authrequest.FailedEventMapper),
+			},
+			reduce: (&authRequestProjection{}).reduceAuthRequestEnded,
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("auth_request"),
+				sequence:         15,
+				previousSequence: 10,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "DELETE FROM projections.auth_requests WHERE (id = $1) AND (instance_id = $2)",
+							expectedArgs: []interface{}{
+								"agg-id",
+								"instance-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "reduceAuthRequestSucceeded",
+			args: args{
+				event: getEvent(testEvent(
+					authrequest.SucceededType,
+					authrequest.AggregateType,
+					nil,
+				), authrequest.SucceededEventMapper),
+			},
+			reduce: (&authRequestProjection{}).reduceAuthRequestEnded,
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("auth_request"),
+				sequence:         15,
+				previousSequence: 10,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "DELETE FROM projections.auth_requests WHERE (id = $1) AND (instance_id = $2)",
+							expectedArgs: []interface{}{
+								"agg-id",
+								"instance-id",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			event := baseEvent(t)
+			got, err := tt.reduce(event)
+			if !errors.IsErrorInvalidArgument(err) {
+				t.Errorf("no wrong event mapping: %v, got: %v", err, got)
+			}
+
+			event = tt.args.event(t)
+			got, err = tt.reduce(event)
+			assertReduce(t, got, err, AuthRequestsProjectionTable, tt.want)
+		})
+	}
+}
--- a/internal/query/projection/projection.go
+++ b/internal/query/projection/projection.go
@@ -67,6 +67,7 @@ var (
 	TelemetryPusherProjection           interface{}
 	DeviceAuthProjection                *deviceAuthProjection
 	SessionProjection                   *sessionProjection
+	AuthRequestProjection               *authRequestProjection
 	MilestoneProjection                 *milestoneProjection
 )

@@ -145,6 +146,7 @@ func Create(ctx context.Context, sqlClient *database.DB, es *eventstore.Eventsto
 	NotificationPolicyProjection = newNotificationPolicyProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["notification_policies"]))
 	DeviceAuthProjection = newDeviceAuthProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["device_auth"]))
 	SessionProjection = newSessionProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["sessions"]))
+	AuthRequestProjection = newAuthRequestProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["auth_requests"]))
 	MilestoneProjection = newMilestoneProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["milestones"]))
 	newProjectionsList()
 	return nil
@@ -243,6 +245,7 @@ func newProjectionsList() {
 		NotificationPolicyProjection,
 		DeviceAuthProjection,
 		SessionProjection,
+		AuthRequestProjection,
 		MilestoneProjection,
 	}
 }
--- a/internal/query/query.go
+++ b/internal/query/query.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"regexp"
 	"sync"
 	"time"

@@ -18,9 +19,11 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/query/projection"
 	"github.com/zitadel/zitadel/internal/repository/action"
+	"github.com/zitadel/zitadel/internal/repository/authrequest"
 	"github.com/zitadel/zitadel/internal/repository/idpintent"
 	iam_repo "github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/keypair"
+	"github.com/zitadel/zitadel/internal/repository/oidcsession"
 	"github.com/zitadel/zitadel/internal/repository/org"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/repository/session"
@@ -88,6 +91,8 @@ func StartQueries(
 	usergrant.RegisterEventMappers(repo.eventstore)
 	session.RegisterEventMappers(repo.eventstore)
 	idpintent.RegisterEventMappers(repo.eventstore)
+	authrequest.RegisterEventMappers(repo.eventstore)
+	oidcsession.RegisterEventMappers(repo.eventstore)

 	repo.idpConfigEncryption = idpConfigEncryption
 	repo.multifactors = domain.MultifactorConfigs{
@@ -115,3 +120,19 @@ func (q *Queries) Health(ctx context.Context) error {
 type prepareDatabase interface {
 	Timetravel(d time.Duration) string
 }
+
+// cleanStaticQueries removes whitespaces,
+// such as ` `, \t, \n, from queries to improve
+// readability in logs and errors.
+func cleanStaticQueries(qs ...*string) {
+	regex := regexp.MustCompile(`\s+`)
+	for _, q := range qs {
+		*q = regex.ReplaceAllString(*q, " ")
+	}
+}
+
+func init() {
+	cleanStaticQueries(
+		&authRequestByIDQuery,
+	)
+}
--- a/internal/query/query_test.go
+++ b/internal/query/query_test.go
@@ -0,0 +1,17 @@
+package query
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_cleanStaticQueries(t *testing.T) {
+	query := `select
+	foo,
+	bar
+from table;`
+	want := "select foo, bar from table;"
+	cleanStaticQueries(&query)
+	assert.Equal(t, want, query)
+}