feat(api): add OIDC session service (#6157)

This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-11 19:07:30 +00:00 · 2023-07-10 15:27:00 +02:00
parent be1fe36776
commit 14b8cf4894
69 changed files with 5948 additions and 106 deletions
--- a/internal/repository/authrequest/aggregate.go
+++ b/internal/repository/authrequest/aggregate.go
@@ -0,0 +1,26 @@
+package authrequest
+
+import (
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const (
+	AggregateType    = "auth_request"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
+
+func NewAggregate(id, instanceID string) *Aggregate {
+	return &Aggregate{
+		Aggregate: eventstore.Aggregate{
+			Type:          AggregateType,
+			Version:       AggregateVersion,
+			ID:            id,
+			ResourceOwner: instanceID,
+			InstanceID:    instanceID,
+		},
+	}
+}
--- a/internal/repository/authrequest/auth_request.go
+++ b/internal/repository/authrequest/auth_request.go
@@ -0,0 +1,287 @@
+package authrequest
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/repository"
+)
+
+const (
+	authRequestEventPrefix = "auth_request."
+	AddedType              = authRequestEventPrefix + "added"
+	FailedType             = authRequestEventPrefix + "failed"
+	CodeAddedType          = authRequestEventPrefix + "code.added"
+	SessionLinkedType      = authRequestEventPrefix + "session.linked"
+	CodeExchangedType      = authRequestEventPrefix + "code.exchanged"
+	SucceededType          = authRequestEventPrefix + "succeeded"
+)
+
+type AddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	LoginClient   string                    `json:"login_client"`
+	ClientID      string                    `json:"client_id"`
+	RedirectURI   string                    `json:"redirect_uri"`
+	State         string                    `json:"state,omitempty"`
+	Nonce         string                    `json:"nonce,omitempty"`
+	Scope         []string                  `json:"scope,omitempty"`
+	Audience      []string                  `json:"audience,omitempty"`
+	ResponseType  domain.OIDCResponseType   `json:"response_type,omitempty"`
+	CodeChallenge *domain.OIDCCodeChallenge `json:"code_challenge,omitempty"`
+	Prompt        []domain.Prompt           `json:"prompt,omitempty"`
+	UILocales     []string                  `json:"ui_locales,omitempty"`
+	MaxAge        *time.Duration            `json:"max_age,omitempty"`
+	LoginHint     *string                   `json:"login_hint,omitempty"`
+	HintUserID    *string                   `json:"hint_user_id,omitempty"`
+}
+
+func (e *AddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *AddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAddedEvent(ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	loginClient,
+	clientID,
+	redirectURI,
+	state,
+	nonce string,
+	scope,
+	audience []string,
+	responseType domain.OIDCResponseType,
+	codeChallenge *domain.OIDCCodeChallenge,
+	prompt []domain.Prompt,
+	uiLocales []string,
+	maxAge *time.Duration,
+	loginHint,
+	hintUserID *string,
+) *AddedEvent {
+	return &AddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			AddedType,
+		),
+		LoginClient:   loginClient,
+		ClientID:      clientID,
+		RedirectURI:   redirectURI,
+		State:         state,
+		Nonce:         nonce,
+		Scope:         scope,
+		Audience:      audience,
+		ResponseType:  responseType,
+		CodeChallenge: codeChallenge,
+		Prompt:        prompt,
+		UILocales:     uiLocales,
+		MaxAge:        maxAge,
+		LoginHint:     loginHint,
+		HintUserID:    hintUserID,
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	added := &AddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, added)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "AUTHR-DG4gn", "unable to unmarshal auth request added")
+	}
+
+	return added, nil
+}
+
+type SessionLinkedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	SessionID string    `json:"session_id"`
+	UserID    string    `json:"user_id"`
+	AuthTime  time.Time `json:"auth_time"`
+	AMR       []string  `json:"amr"`
+}
+
+func (e *SessionLinkedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SessionLinkedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewSessionLinkedEvent(ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	sessionID,
+	userID string,
+	authTime time.Time,
+	amr []string,
+) *SessionLinkedEvent {
+	return &SessionLinkedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SessionLinkedType,
+		),
+		SessionID: sessionID,
+		UserID:    userID,
+		AuthTime:  authTime,
+		AMR:       amr,
+	}
+}
+
+func SessionLinkedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	added := &SessionLinkedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, added)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "AUTHR-Sfe3w", "unable to unmarshal auth request session linked")
+	}
+
+	return added, nil
+}
+
+type FailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Reason domain.OIDCErrorReason `json:"reason,omitempty"`
+}
+
+func (e *FailedEvent) Data() interface{} {
+	return e
+}
+
+func (e *FailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewFailedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	reason domain.OIDCErrorReason,
+) *FailedEvent {
+	return &FailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			FailedType,
+		),
+		Reason: reason,
+	}
+}
+
+func FailedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	added := &FailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, added)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "AUTHR-Sfe3w", "unable to unmarshal auth request session linked")
+	}
+
+	return added, nil
+}
+
+type CodeAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *CodeAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *CodeAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewCodeAddedEvent(ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *CodeAddedEvent {
+	return &CodeAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			CodeAddedType,
+		),
+	}
+}
+
+func CodeAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	added := &CodeAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, added)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "AUTHR-Sfe3w", "unable to unmarshal auth request code added")
+	}
+
+	return added, nil
+}
+
+type CodeExchangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *CodeExchangedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *CodeExchangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewCodeExchangedEvent(ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *CodeExchangedEvent {
+	return &CodeExchangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			CodeExchangedType,
+		),
+	}
+}
+
+func CodeExchangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	return &CodeExchangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type SucceededEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *SucceededEvent) Data() interface{} {
+	return nil
+}
+
+func (e *SucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewSucceededEvent(ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *SucceededEvent {
+	return &SucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SucceededType,
+		),
+	}
+}
+
+func SucceededEventMapper(event *repository.Event) (eventstore.Event, error) {
+	return &SucceededEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/authrequest/eventstore.go
+++ b/internal/repository/authrequest/eventstore.go
@@ -0,0 +1,12 @@
+package authrequest
+
+import "github.com/zitadel/zitadel/internal/eventstore"
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(AggregateType, AddedType, AddedEventMapper).
+		RegisterFilterEventMapper(AggregateType, SessionLinkedType, SessionLinkedEventMapper).
+		RegisterFilterEventMapper(AggregateType, CodeAddedType, CodeAddedEventMapper).
+		RegisterFilterEventMapper(AggregateType, CodeExchangedType, CodeExchangedEventMapper).
+		RegisterFilterEventMapper(AggregateType, FailedType, FailedEventMapper).
+		RegisterFilterEventMapper(AggregateType, SucceededType, SucceededEventMapper)
+}
--- a/internal/repository/oidcsession/aggregate.go
+++ b/internal/repository/oidcsession/aggregate.go
@@ -0,0 +1,25 @@
+package oidcsession
+
+import (
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const (
+	AggregateType    = "oidc_session"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
+
+func NewAggregate(id, resourceOwner string) *Aggregate {
+	return &Aggregate{
+		Aggregate: eventstore.Aggregate{
+			Type:          AggregateType,
+			Version:       AggregateVersion,
+			ID:            id,
+			ResourceOwner: resourceOwner,
+		},
+	}
+}
--- a/internal/repository/oidcsession/eventstore.go
+++ b/internal/repository/oidcsession/eventstore.go
@@ -0,0 +1,11 @@
+package oidcsession
+
+import "github.com/zitadel/zitadel/internal/eventstore"
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(AggregateType, AddedType, AddedEventMapper).
+		RegisterFilterEventMapper(AggregateType, AccessTokenAddedType, AccessTokenAddedEventMapper).
+		RegisterFilterEventMapper(AggregateType, RefreshTokenAddedType, RefreshTokenAddedEventMapper).
+		RegisterFilterEventMapper(AggregateType, RefreshTokenRenewedType, RefreshTokenRenewedEventMapper)
+
+}
--- a/internal/repository/oidcsession/oidc_session.go
+++ b/internal/repository/oidcsession/oidc_session.go
@@ -0,0 +1,215 @@
+package oidcsession
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/repository"
+)
+
+const (
+	oidcSessionEventPrefix  = "oidc_session."
+	AddedType               = oidcSessionEventPrefix + "added"
+	AccessTokenAddedType    = oidcSessionEventPrefix + "access_token.added"
+	RefreshTokenAddedType   = oidcSessionEventPrefix + "refresh_token.added"
+	RefreshTokenRenewedType = oidcSessionEventPrefix + "refresh_token.renewed"
+)
+
+type AddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserID                string    `json:"userID"`
+	SessionID             string    `json:"sessionID"`
+	ClientID              string    `json:"clientID"`
+	Audience              []string  `json:"audience"`
+	Scope                 []string  `json:"scope"`
+	AuthMethodsReferences []string  `json:"authMethodsReferences"`
+	AuthTime              time.Time `json:"authTime"`
+}
+
+func (e *AddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *AddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAddedEvent(ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID,
+	sessionID,
+	clientID string,
+	audience,
+	scope []string,
+	authMethodsReferences []string,
+	authTime time.Time,
+) *AddedEvent {
+	return &AddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			AddedType,
+		),
+		UserID:                userID,
+		SessionID:             sessionID,
+		ClientID:              clientID,
+		Audience:              audience,
+		Scope:                 scope,
+		AuthMethodsReferences: authMethodsReferences,
+		AuthTime:              authTime,
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	added := &AddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, added)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDCS-DG4gn", "unable to unmarshal oidc session added")
+	}
+
+	return added, nil
+}
+
+type AccessTokenAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID       string        `json:"id"`
+	Scope    []string      `json:"scope"`
+	Lifetime time.Duration `json:"lifetime"`
+}
+
+func (e *AccessTokenAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *AccessTokenAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAccessTokenAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+	scope []string,
+	lifetime time.Duration,
+) *AccessTokenAddedEvent {
+	return &AccessTokenAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			AccessTokenAddedType,
+		),
+		ID:       id,
+		Scope:    scope,
+		Lifetime: lifetime,
+	}
+}
+
+func AccessTokenAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	added := &AccessTokenAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, added)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDCS-DSGn5", "unable to unmarshal access token added")
+	}
+
+	return added, nil
+}
+
+type RefreshTokenAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID           string        `json:"id"`
+	Lifetime     time.Duration `json:"lifetime"`
+	IdleLifetime time.Duration `json:"idleLifetime"`
+}
+
+func (e *RefreshTokenAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *RefreshTokenAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewRefreshTokenAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+	lifetime,
+	idleLifetime time.Duration,
+) *RefreshTokenAddedEvent {
+	return &RefreshTokenAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RefreshTokenAddedType,
+		),
+		ID:           id,
+		Lifetime:     lifetime,
+		IdleLifetime: idleLifetime,
+	}
+}
+
+func RefreshTokenAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	added := &RefreshTokenAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, added)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDCS-aW3gqq", "unable to unmarshal refresh token added")
+	}
+
+	return added, nil
+}
+
+type RefreshTokenRenewedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID           string        `json:"id"`
+	IdleLifetime time.Duration `json:"idleLifetime"`
+}
+
+func (e *RefreshTokenRenewedEvent) Data() interface{} {
+	return e
+}
+
+func (e *RefreshTokenRenewedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewRefreshTokenRenewedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+	idleLifetime time.Duration,
+) *RefreshTokenRenewedEvent {
+	return &RefreshTokenRenewedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RefreshTokenRenewedType,
+		),
+		ID:           id,
+		IdleLifetime: idleLifetime,
+	}
+}
+
+func RefreshTokenRenewedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	added := &RefreshTokenRenewedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, added)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDCS-SF3fc", "unable to unmarshal refresh token renewed")
+	}
+
+	return added, nil
+}