fix: improvements for login and oidc (#227)

* add csrf * caching * caching * caching * caching * security headers * csp and security headers * error handler csp * select user with display name * csp * user selection styling * username to loginname * regenerate grpc * regenerate * change to login name
2025-12-07 17:32:20 +00:00 · 2020-06-17 08:06:40 +02:00
parent dfe6d0deb4
commit 1c59d18fee
108 changed files with 19226 additions and 19220 deletions
--- a/pkg/auth/api/oidc/client.go
+++ b/pkg/auth/api/oidc/client.go
@@ -55,7 +55,7 @@ func (o *OPStorage) GetUserinfoFromScopes(ctx context.Context, userID string, sc
 			userInfo.FamilyName = user.LastName
 			userInfo.GivenName = user.FirstName
 			userInfo.Nickname = user.NickName
-			userInfo.PreferredUsername = user.UserName
+			userInfo.PreferredUsername = user.PreferredLoginName
 			userInfo.UpdatedAt = user.ChangeDate
 			userInfo.Gender = oidc.Gender(getGender(user.Gender))
 		case scopePhone:
--- a/pkg/auth/api/oidc/op.go
+++ b/pkg/auth/api/oidc/op.go
@@ -2,12 +2,14 @@ package oidc

 import (
 	"context"
+	"net/http"
 	"time"

 	"github.com/caos/logging"
 	"github.com/caos/oidc/pkg/op"

 	http_utils "github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth/repository"
 	"github.com/caos/zitadel/internal/config/types"
 	"github.com/caos/zitadel/internal/id"
@@ -17,6 +19,7 @@ type OPHandlerConfig struct {
 	OPConfig              *op.Config
 	StorageConfig         StorageConfig
 	UserAgentCookieConfig *http_utils.UserAgentCookieConfig
+	Cache                 *middleware.CacheConfig
 	Endpoints             *EndpointConfig
 }

@@ -51,6 +54,12 @@ type OPStorage struct {
 func NewProvider(ctx context.Context, config OPHandlerConfig, repo repository.Repository) op.OpenIDProvider {
 	cookieHandler, err := http_utils.NewUserAgentHandler(config.UserAgentCookieConfig, id.SonyFlakeGenerator)
 	logging.Log("OIDC-sd4fd").OnError(err).Panic("cannot user agent handler")
+	cache, err := middleware.DefaultCacheInterceptor(config.Endpoints.Keys.Path, config.Cache.MaxAge.Duration, config.Cache.SharedMaxAge.Duration)
+	nextHandler := func(handlerFunc http.HandlerFunc) http.HandlerFunc {
+		return func(w http.ResponseWriter, r *http.Request) {
+			cache(http_utils.CopyHeadersToContext(handlerFunc))
+		}
+	}
 	provider, err := op.NewDefaultOP(
 		ctx,
 		config.OPConfig,
@@ -58,7 +67,7 @@ func NewProvider(ctx context.Context, config OPHandlerConfig, repo repository.Re
 		op.WithHttpInterceptor(
 			UserAgentCookieHandler(
 				cookieHandler,
-				http_utils.CopyHeadersToContext,
+				nextHandler,
 			),
 		),
 		op.WithCustomAuthEndpoint(op.NewEndpointWithURL(config.Endpoints.Auth.Path, config.Endpoints.Auth.URL)),