feat(api): add OIDC session service (#6157)

This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-11 19:07:30 +00:00 · 2023-07-10 15:27:00 +02:00
parent be1fe36776
commit 14b8cf4894
69 changed files with 5948 additions and 106 deletions
--- a/internal/repository/oidcsession/aggregate.go
+++ b/internal/repository/oidcsession/aggregate.go
@@ -0,0 +1,25 @@
+package oidcsession
+
+import (
+	"github.com/zitadel/zitadel/internal/eventstore"
+)
+
+const (
+	AggregateType    = "oidc_session"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
+
+func NewAggregate(id, resourceOwner string) *Aggregate {
+	return &Aggregate{
+		Aggregate: eventstore.Aggregate{
+			Type:          AggregateType,
+			Version:       AggregateVersion,
+			ID:            id,
+			ResourceOwner: resourceOwner,
+		},
+	}
+}
--- a/internal/repository/oidcsession/eventstore.go
+++ b/internal/repository/oidcsession/eventstore.go
@@ -0,0 +1,11 @@
+package oidcsession
+
+import "github.com/zitadel/zitadel/internal/eventstore"
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(AggregateType, AddedType, AddedEventMapper).
+		RegisterFilterEventMapper(AggregateType, AccessTokenAddedType, AccessTokenAddedEventMapper).
+		RegisterFilterEventMapper(AggregateType, RefreshTokenAddedType, RefreshTokenAddedEventMapper).
+		RegisterFilterEventMapper(AggregateType, RefreshTokenRenewedType, RefreshTokenRenewedEventMapper)
+
+}
--- a/internal/repository/oidcsession/oidc_session.go
+++ b/internal/repository/oidcsession/oidc_session.go
@@ -0,0 +1,215 @@
+package oidcsession
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/repository"
+)
+
+const (
+	oidcSessionEventPrefix  = "oidc_session."
+	AddedType               = oidcSessionEventPrefix + "added"
+	AccessTokenAddedType    = oidcSessionEventPrefix + "access_token.added"
+	RefreshTokenAddedType   = oidcSessionEventPrefix + "refresh_token.added"
+	RefreshTokenRenewedType = oidcSessionEventPrefix + "refresh_token.renewed"
+)
+
+type AddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserID                string    `json:"userID"`
+	SessionID             string    `json:"sessionID"`
+	ClientID              string    `json:"clientID"`
+	Audience              []string  `json:"audience"`
+	Scope                 []string  `json:"scope"`
+	AuthMethodsReferences []string  `json:"authMethodsReferences"`
+	AuthTime              time.Time `json:"authTime"`
+}
+
+func (e *AddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *AddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAddedEvent(ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID,
+	sessionID,
+	clientID string,
+	audience,
+	scope []string,
+	authMethodsReferences []string,
+	authTime time.Time,
+) *AddedEvent {
+	return &AddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			AddedType,
+		),
+		UserID:                userID,
+		SessionID:             sessionID,
+		ClientID:              clientID,
+		Audience:              audience,
+		Scope:                 scope,
+		AuthMethodsReferences: authMethodsReferences,
+		AuthTime:              authTime,
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	added := &AddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, added)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDCS-DG4gn", "unable to unmarshal oidc session added")
+	}
+
+	return added, nil
+}
+
+type AccessTokenAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID       string        `json:"id"`
+	Scope    []string      `json:"scope"`
+	Lifetime time.Duration `json:"lifetime"`
+}
+
+func (e *AccessTokenAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *AccessTokenAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAccessTokenAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+	scope []string,
+	lifetime time.Duration,
+) *AccessTokenAddedEvent {
+	return &AccessTokenAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			AccessTokenAddedType,
+		),
+		ID:       id,
+		Scope:    scope,
+		Lifetime: lifetime,
+	}
+}
+
+func AccessTokenAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	added := &AccessTokenAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, added)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDCS-DSGn5", "unable to unmarshal access token added")
+	}
+
+	return added, nil
+}
+
+type RefreshTokenAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID           string        `json:"id"`
+	Lifetime     time.Duration `json:"lifetime"`
+	IdleLifetime time.Duration `json:"idleLifetime"`
+}
+
+func (e *RefreshTokenAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *RefreshTokenAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewRefreshTokenAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+	lifetime,
+	idleLifetime time.Duration,
+) *RefreshTokenAddedEvent {
+	return &RefreshTokenAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RefreshTokenAddedType,
+		),
+		ID:           id,
+		Lifetime:     lifetime,
+		IdleLifetime: idleLifetime,
+	}
+}
+
+func RefreshTokenAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	added := &RefreshTokenAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, added)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDCS-aW3gqq", "unable to unmarshal refresh token added")
+	}
+
+	return added, nil
+}
+
+type RefreshTokenRenewedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID           string        `json:"id"`
+	IdleLifetime time.Duration `json:"idleLifetime"`
+}
+
+func (e *RefreshTokenRenewedEvent) Data() interface{} {
+	return e
+}
+
+func (e *RefreshTokenRenewedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewRefreshTokenRenewedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+	idleLifetime time.Duration,
+) *RefreshTokenRenewedEvent {
+	return &RefreshTokenRenewedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RefreshTokenRenewedType,
+		),
+		ID:           id,
+		IdleLifetime: idleLifetime,
+	}
+}
+
+func RefreshTokenRenewedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	added := &RefreshTokenRenewedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, added)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDCS-SF3fc", "unable to unmarshal refresh token renewed")
+	}
+
+	return added, nil
+}