TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 00:47:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(oidc): store requested response_mode (#8145)

Browse Source 
# Which Problems Are Solved

Zitadel never stored or returned the requested `response_mode` in oidc
Auth Requests. This caused the oidc library to fallback to the default
based on the response_type.

# How the Problems Are Solved

- Store the `response_mode` in the Auth request repo
- Store the `response_mode` in the Auth request v2 events
- Return the `resonse_mode` from the Auth Request v1 and v2
`ResponseMode()` methods. (Was hard-coded to an empty string)

# Additional Changes

- Populate the `response_modes_supported` to the oidc Discovery
Configuration. When it was empty, the standard specifies the default of
`query` and `fragment`. However, our oidc library also supports
`form_post` and by this fix, zitadel now also supports this.

# Additional Context

- Closes #6586
- Reported
https://discord.com/channels/927474939156643850/1151508313717084220

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Tim Möhlmann
2024-06-17 12:50:12 +03:00
committed by GitHub
parent 85d7536d44
commit 1aa8c49e41
15 changed files with 287 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
internal/command/auth_request.go
View File

@@ -21,6 +21,7 @@ type AuthRequest struct {
Scope []string
Audience []string
ResponseType domain.OIDCResponseType
ResponseMode domain.OIDCResponseMode
CodeChallenge *domain.OIDCCodeChallenge
Prompt []domain.Prompt
UILocales []string
@@ -64,6 +65,7 @@ func (c *Commands) AddAuthRequest(ctx context.Context, authRequest *AuthRequest)
authRequest.Scope,
authRequest.Audience,
authRequest.ResponseType,
authRequest.ResponseMode,
authRequest.CodeChallenge,
authRequest.Prompt,
authRequest.UILocales,
@@ -162,6 +164,7 @@ func authRequestWriteModelToCurrentAuthRequest(writeModel *AuthRequestWriteModel
Scope: writeModel.Scope,
Audience: writeModel.Audience,
ResponseType: writeModel.ResponseType,
ResponseMode: writeModel.ResponseMode,
CodeChallenge: writeModel.CodeChallenge,
Prompt: writeModel.Prompt,
UILocales: writeModel.UILocales,

2
internal/command/auth_request_model.go
View File

@@ -23,6 +23,7 @@ type AuthRequestWriteModel struct {
Scope []string
Audience []string
ResponseType domain.OIDCResponseType
ResponseMode domain.OIDCResponseMode
CodeChallenge *domain.OIDCCodeChallenge
Prompt []domain.Prompt
UILocales []string
@@ -58,6 +59,7 @@ func (m *AuthRequestWriteModel) Reduce() error {
m.Scope = e.Scope
m.Audience = e.Audience
m.ResponseType = e.ResponseType
m.ResponseMode = e.ResponseMode
m.CodeChallenge = e.CodeChallenge
m.Prompt = e.Prompt
m.UILocales = e.UILocales

17
internal/command/auth_request_test.go
View File

@@ -54,6 +54,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -89,6 +90,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -115,6 +117,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
Scope: []string{"openid"},
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
CodeChallenge: &domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -137,6 +140,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
Scope: []string{"openid"},
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
CodeChallenge: &domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -220,6 +224,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -261,6 +266,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -300,6 +306,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -338,6 +345,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -399,6 +407,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -449,6 +458,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -513,6 +523,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
Scope: []string{"openid"},
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
},
SessionID: "sessionID",
UserID: "userID",
@@ -535,6 +546,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -600,6 +612,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
Scope: []string{"openid"},
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
},
SessionID: "sessionID",
UserID: "userID",
@@ -678,6 +691,7 @@ func TestCommands_FailAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -712,6 +726,7 @@ func TestCommands_FailAuthRequest(t *testing.T) {
Scope: []string{"openid"},
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
},
},
},
@@ -773,6 +788,7 @@ func TestCommands_AddAuthRequestCode(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -810,6 +826,7 @@ func TestCommands_AddAuthRequestCode(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,

4
internal/command/oidc_session_test.go
View File

@@ -124,6 +124,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
[]string{"openid", "offline_access"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -167,6 +168,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
[]string{"openid", "offline_access"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -218,6 +220,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
[]string{"openid", "offline_access"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -336,6 +339,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeIDToken,
domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,