feat(api): add OIDC session service (#6157)

This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-12 00:57:33 +00:00 · 2023-07-10 15:27:00 +02:00
parent be1fe36776
commit 14b8cf4894
69 changed files with 5948 additions and 106 deletions
--- a/internal/query/projection/auth_request.go
+++ b/internal/query/projection/auth_request.go
@@ -0,0 +1,142 @@
+package projection
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/handler"
+	"github.com/zitadel/zitadel/internal/eventstore/handler/crdb"
+	"github.com/zitadel/zitadel/internal/repository/authrequest"
+	"github.com/zitadel/zitadel/internal/repository/instance"
+)
+
+const (
+	AuthRequestsProjectionTable = "projections.auth_requests"
+
+	AuthRequestColumnID            = "id"
+	AuthRequestColumnCreationDate  = "creation_date"
+	AuthRequestColumnChangeDate    = "change_date"
+	AuthRequestColumnSequence      = "sequence"
+	AuthRequestColumnResourceOwner = "resource_owner"
+	AuthRequestColumnInstanceID    = "instance_id"
+	AuthRequestColumnLoginClient   = "login_client"
+	AuthRequestColumnClientID      = "client_id"
+	AuthRequestColumnRedirectURI   = "redirect_uri"
+	AuthRequestColumnScope         = "scope"
+	AuthRequestColumnPrompt        = "prompt"
+	AuthRequestColumnUILocales     = "ui_locales"
+	AuthRequestColumnMaxAge        = "max_age"
+	AuthRequestColumnLoginHint     = "login_hint"
+	AuthRequestColumnHintUserID    = "hint_user_id"
+)
+
+type authRequestProjection struct {
+	crdb.StatementHandler
+}
+
+func newAuthRequestProjection(ctx context.Context, config crdb.StatementHandlerConfig) *authRequestProjection {
+	p := new(authRequestProjection)
+	config.ProjectionName = AuthRequestsProjectionTable
+	config.Reducers = p.reducers()
+	config.InitCheck = crdb.NewMultiTableCheck(
+		crdb.NewTable([]*crdb.Column{
+			crdb.NewColumn(AuthRequestColumnID, crdb.ColumnTypeText),
+			crdb.NewColumn(AuthRequestColumnCreationDate, crdb.ColumnTypeTimestamp),
+			crdb.NewColumn(AuthRequestColumnChangeDate, crdb.ColumnTypeTimestamp),
+			crdb.NewColumn(AuthRequestColumnSequence, crdb.ColumnTypeInt64),
+			crdb.NewColumn(AuthRequestColumnResourceOwner, crdb.ColumnTypeText),
+			crdb.NewColumn(AuthRequestColumnInstanceID, crdb.ColumnTypeText),
+			crdb.NewColumn(AuthRequestColumnLoginClient, crdb.ColumnTypeText),
+			crdb.NewColumn(AuthRequestColumnClientID, crdb.ColumnTypeText),
+			crdb.NewColumn(AuthRequestColumnRedirectURI, crdb.ColumnTypeText),
+			crdb.NewColumn(AuthRequestColumnScope, crdb.ColumnTypeTextArray),
+			crdb.NewColumn(AuthRequestColumnPrompt, crdb.ColumnTypeEnumArray, crdb.Nullable()),
+			crdb.NewColumn(AuthRequestColumnUILocales, crdb.ColumnTypeTextArray, crdb.Nullable()),
+			crdb.NewColumn(AuthRequestColumnMaxAge, crdb.ColumnTypeInt64, crdb.Nullable()),
+			crdb.NewColumn(AuthRequestColumnLoginHint, crdb.ColumnTypeText, crdb.Nullable()),
+			crdb.NewColumn(AuthRequestColumnHintUserID, crdb.ColumnTypeText, crdb.Nullable()),
+		},
+			crdb.NewPrimaryKey(AuthRequestColumnInstanceID, AuthRequestColumnID),
+		),
+	)
+	p.StatementHandler = crdb.NewStatementHandler(ctx, config)
+	return p
+}
+
+func (p *authRequestProjection) reducers() []handler.AggregateReducer {
+	return []handler.AggregateReducer{
+		{
+			Aggregate: authrequest.AggregateType,
+			EventRedusers: []handler.EventReducer{
+				{
+					Event:  authrequest.AddedType,
+					Reduce: p.reduceAuthRequestAdded,
+				},
+				{
+					Event:  authrequest.SucceededType,
+					Reduce: p.reduceAuthRequestEnded,
+				},
+				{
+					Event:  authrequest.FailedType,
+					Reduce: p.reduceAuthRequestEnded,
+				},
+			},
+		},
+		{
+			Aggregate: instance.AggregateType,
+			EventRedusers: []handler.EventReducer{
+				{
+					Event:  instance.InstanceRemovedEventType,
+					Reduce: reduceInstanceRemovedHelper(AuthRequestColumnInstanceID),
+				},
+			},
+		},
+	}
+}
+
+func (p *authRequestProjection) reduceAuthRequestAdded(event eventstore.Event) (*handler.Statement, error) {
+	e, ok := event.(*authrequest.AddedEvent)
+	if !ok {
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-Sfwfa", "reduce.wrong.event.type %s", authrequest.AddedType)
+	}
+
+	return crdb.NewCreateStatement(
+		e,
+		[]handler.Column{
+			handler.NewCol(AuthRequestColumnID, e.Aggregate().ID),
+			handler.NewCol(AuthRequestColumnInstanceID, e.Aggregate().InstanceID),
+			handler.NewCol(AuthRequestColumnCreationDate, e.CreationDate()),
+			handler.NewCol(AuthRequestColumnChangeDate, e.CreationDate()),
+			handler.NewCol(AuthRequestColumnResourceOwner, e.Aggregate().ResourceOwner),
+			handler.NewCol(AuthRequestColumnSequence, e.Sequence()),
+			handler.NewCol(AuthRequestColumnLoginClient, e.LoginClient),
+			handler.NewCol(AuthRequestColumnClientID, e.ClientID),
+			handler.NewCol(AuthRequestColumnRedirectURI, e.RedirectURI),
+			handler.NewCol(AuthRequestColumnScope, e.Scope),
+			handler.NewCol(AuthRequestColumnPrompt, e.Prompt),
+			handler.NewCol(AuthRequestColumnUILocales, e.UILocales),
+			handler.NewCol(AuthRequestColumnMaxAge, e.MaxAge),
+			handler.NewCol(AuthRequestColumnLoginHint, e.LoginHint),
+			handler.NewCol(AuthRequestColumnHintUserID, e.HintUserID),
+		},
+	), nil
+}
+
+func (p *authRequestProjection) reduceAuthRequestEnded(event eventstore.Event) (*handler.Statement, error) {
+	switch event.(type) {
+	case *authrequest.SucceededEvent,
+		*authrequest.FailedEvent:
+		break
+	default:
+		return nil, errors.ThrowInvalidArgumentf(nil, "HANDL-ASF3h", "reduce.wrong.event.type %s", []eventstore.EventType{authrequest.SucceededType, authrequest.FailedType})
+	}
+
+	return crdb.NewDeleteStatement(
+		event,
+		[]handler.Condition{
+			handler.NewCond(AuthRequestColumnID, event.Aggregate().ID),
+			handler.NewCond(AuthRequestColumnInstanceID, event.Aggregate().InstanceID),
+		},
+	), nil
+}
--- a/internal/query/projection/auth_request_test.go
+++ b/internal/query/projection/auth_request_test.go
@@ -0,0 +1,134 @@
+package projection
+
+import (
+	"testing"
+	"time"
+
+	"github.com/muhlemmer/gu"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/handler"
+	"github.com/zitadel/zitadel/internal/repository/authrequest"
+)
+
+func TestAuthRequestProjection_reduces(t *testing.T) {
+	type args struct {
+		event func(t *testing.T) eventstore.Event
+	}
+	tests := []struct {
+		name   string
+		args   args
+		reduce func(event eventstore.Event) (*handler.Statement, error)
+		want   wantReduce
+	}{
+		{
+			name: "reduceAuthRequestAdded",
+			args: args{
+				event: getEvent(testEvent(
+					authrequest.AddedType,
+					authrequest.AggregateType,
+					[]byte(`{"login_client": "loginClient", "client_id":"clientId","redirect_uri": "redirectURI", "scope": ["openid"], "prompt": [1], "ui_locales": ["en","de"], "max_age": 0, "login_hint": "loginHint", "hint_user_id": "hintUserID"}`),
+				), authrequest.AddedEventMapper),
+			},
+			reduce: (&authRequestProjection{}).reduceAuthRequestAdded,
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("auth_request"),
+				sequence:         15,
+				previousSequence: 10,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "INSERT INTO projections.auth_requests (id, instance_id, creation_date, change_date, resource_owner, sequence, login_client, client_id, redirect_uri, scope, prompt, ui_locales, max_age, login_hint, hint_user_id) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15)",
+							expectedArgs: []interface{}{
+								"agg-id",
+								"instance-id",
+								anyArg{},
+								anyArg{},
+								"ro-id",
+								uint64(15),
+								"loginClient",
+								"clientId",
+								"redirectURI",
+								[]string{"openid"},
+								[]domain.Prompt{domain.PromptNone},
+								[]string{"en", "de"},
+								gu.Ptr(time.Duration(0)),
+								gu.Ptr("loginHint"),
+								gu.Ptr("hintUserID"),
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "reduceAuthRequestFailed",
+			args: args{
+				event: getEvent(testEvent(
+					authrequest.FailedType,
+					authrequest.AggregateType,
+					[]byte(`{"reason": 0}`),
+				), authrequest.FailedEventMapper),
+			},
+			reduce: (&authRequestProjection{}).reduceAuthRequestEnded,
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("auth_request"),
+				sequence:         15,
+				previousSequence: 10,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "DELETE FROM projections.auth_requests WHERE (id = $1) AND (instance_id = $2)",
+							expectedArgs: []interface{}{
+								"agg-id",
+								"instance-id",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "reduceAuthRequestSucceeded",
+			args: args{
+				event: getEvent(testEvent(
+					authrequest.SucceededType,
+					authrequest.AggregateType,
+					nil,
+				), authrequest.SucceededEventMapper),
+			},
+			reduce: (&authRequestProjection{}).reduceAuthRequestEnded,
+			want: wantReduce{
+				aggregateType:    eventstore.AggregateType("auth_request"),
+				sequence:         15,
+				previousSequence: 10,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "DELETE FROM projections.auth_requests WHERE (id = $1) AND (instance_id = $2)",
+							expectedArgs: []interface{}{
+								"agg-id",
+								"instance-id",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			event := baseEvent(t)
+			got, err := tt.reduce(event)
+			if !errors.IsErrorInvalidArgument(err) {
+				t.Errorf("no wrong event mapping: %v, got: %v", err, got)
+			}
+
+			event = tt.args.event(t)
+			got, err = tt.reduce(event)
+			assertReduce(t, got, err, AuthRequestsProjectionTable, tt.want)
+		})
+	}
+}
--- a/internal/query/projection/projection.go
+++ b/internal/query/projection/projection.go
@@ -67,6 +67,7 @@ var (
 	TelemetryPusherProjection           interface{}
 	DeviceAuthProjection                *deviceAuthProjection
 	SessionProjection                   *sessionProjection
+	AuthRequestProjection               *authRequestProjection
 	MilestoneProjection                 *milestoneProjection
 )

@@ -145,6 +146,7 @@ func Create(ctx context.Context, sqlClient *database.DB, es *eventstore.Eventsto
 	NotificationPolicyProjection = newNotificationPolicyProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["notification_policies"]))
 	DeviceAuthProjection = newDeviceAuthProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["device_auth"]))
 	SessionProjection = newSessionProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["sessions"]))
+	AuthRequestProjection = newAuthRequestProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["auth_requests"]))
 	MilestoneProjection = newMilestoneProjection(ctx, applyCustomConfig(projectionConfig, config.Customizations["milestones"]))
 	newProjectionsList()
 	return nil
@@ -243,6 +245,7 @@ func newProjectionsList() {
 		NotificationPolicyProjection,
 		DeviceAuthProjection,
 		SessionProjection,
+		AuthRequestProjection,
 		MilestoneProjection,
 	}
 }