diff --git a/build/dockerfile b/build/dockerfile index ffa4ad35b9..ca583d221a 100644 --- a/build/dockerfile +++ b/build/dockerfile @@ -12,7 +12,7 @@ RUN wget -O protoc https://github.com/protocolbuffers/protobuf/releases/download && unzip protoc \ && wget -O bin/protoc-gen-grpc-web https://github.com/grpc/grpc-web/releases/download/1.2.0/protoc-gen-grpc-web-1.2.0-linux-x86_64 \ && chmod +x bin/protoc-gen-grpc-web -RUN curl https://raw.githubusercontent.com/envoyproxy/protoc-gen-validate/v0.4.0/validate/validate.proto --create-dirs -o validate/validate.proto \ +RUN curl https://raw.githubusercontent.com/envoyproxy/protoc-gen-validate/v0.4.1/validate/validate.proto --create-dirs -o validate/validate.proto \ && curl https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v1.14.6/protoc-gen-swagger/options/annotations.proto --create-dirs -o protoc-gen-swagger/options/annotations.proto \ && curl https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v1.14.6/protoc-gen-swagger/options/openapiv2.proto --create-dirs -o protoc-gen-swagger/options/openapiv2.proto \ && curl https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/annotations.proto --create-dirs -o google/api/annotations.proto \ diff --git a/go.mod b/go.mod index 64b2115dbe..71a00780fa 100644 --- a/go.mod +++ b/go.mod @@ -15,9 +15,9 @@ require ( github.com/allegro/bigcache v1.2.1 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc github.com/caos/logging v0.0.2 - github.com/caos/oidc v0.12.5 + github.com/caos/oidc v0.13.0 github.com/cockroachdb/cockroach-go/v2 v2.0.8 - github.com/envoyproxy/protoc-gen-validate v0.1.0 + github.com/envoyproxy/protoc-gen-validate v0.4.1 github.com/ghodss/yaml v1.0.0 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b github.com/golang/mock v1.4.4 diff --git a/go.sum b/go.sum index 79e6fe93d9..a9d98c7947 100644 --- a/go.sum +++ b/go.sum @@ -86,8 +86,8 @@ github.com/caos/logging v0.0.2 h1:ebg5C/HN0ludYR+WkvnFjwSExF4wvyiWPyWGcKMYsoo= github.com/caos/logging v0.0.2 h1:ebg5C/HN0ludYR+WkvnFjwSExF4wvyiWPyWGcKMYsoo= github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0= github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0= -github.com/caos/oidc v0.12.5 h1:BN3iu6ZokOIbuoOkLRX/tAZPAfVoTXIkYflKmV156U8= -github.com/caos/oidc v0.12.5/go.mod h1:dLvfYUiAt9ORfl77L/KkcWuR/N0ll8Ry1nD2ERsamDY= +github.com/caos/oidc v0.13.0 h1:l1IKrqV3HaS2TfseuC5kOR3DdEPfY9AbJXuZ7dsIEQo= +github.com/caos/oidc v0.13.0/go.mod h1:dLvfYUiAt9ORfl77L/KkcWuR/N0ll8Ry1nD2ERsamDY= github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -125,6 +125,8 @@ github.com/envoyproxy/go-control-plane v0.9.4 h1:rEvIZUSZ3fx39WIi3JkQqQBitGwpELB github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/envoyproxy/protoc-gen-validate v0.4.1 h1:7dLaJvASGRD7X49jSCSXXHwKPm0ZN9r9kJD+p+vS7dM= +github.com/envoyproxy/protoc-gen-validate v0.4.1/go.mod h1:E+IEazqdaWv3FrnGtZIu3b9fPFMK8AzeTTrk9SfVwWs= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0= github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ= @@ -261,6 +263,8 @@ github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw= github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= +github.com/iancoleman/strcase v0.0.0-20180726023541-3605ed457bf7 h1:ux/56T2xqZO/3cP1I2F86qpeoYPCOzk+KF/UH/Ar+lk= +github.com/iancoleman/strcase v0.0.0-20180726023541-3605ed457bf7/go.mod h1:SK73tn/9oHe+/Y0h39VT4UCxmurVJkR5NA7kMEAOgSE= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 h1:UDMh68UUwekSh5iP2OMhRRZJiiBccgV7axzUG8vi56c= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -339,6 +343,7 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 h1:T+h1c/A9Gawja4Y9mFVWj2vyii2bbUNDw3kt9VxK2EY= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= @@ -355,6 +360,7 @@ github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.4.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.8.0 h1:9xohqzkUwzR4Ga4ivdTcawVS89YSDVxXMa3xJX3cGzg= github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lyft/protoc-gen-star v0.5.1/go.mod h1:9toiA3cC7z5uVbODF7kEQ91Xn7XNFkVUl+SrEe+ZORU= github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8= @@ -385,6 +391,7 @@ github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFSt github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= @@ -417,6 +424,10 @@ github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sony/sonyflake v1.0.0 h1:MpU6Ro7tfXwgn2l5eluf9xQvQJDROTBImNCfRXn/YeM= github.com/sony/sonyflake v1.0.0/go.mod h1:Jv3cfhf/UFtolOTTRd3q4Nl6ENqM+KfyZ5PseKfZGF4= +github.com/spf13/afero v1.3.3 h1:p5gZEKLYoL7wh8VrJesMaYeNxdEd1v3cb4irOk9zB54= +github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= +github.com/spf13/afero v1.3.4 h1:8q6vk3hthlpb2SouZcnBVKboxWQWMDNF38bwholZrJc= +github.com/spf13/afero v1.3.4/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -690,6 +701,7 @@ golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWc golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200701151220-7cb253f4c4f8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200713011307-fd294ab11aed/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= diff --git a/internal/api/grpc/management/application_converter.go b/internal/api/grpc/management/application_converter.go index 07c4542107..e3ebafa396 100644 --- a/internal/api/grpc/management/application_converter.go +++ b/internal/api/grpc/management/application_converter.go @@ -6,6 +6,7 @@ import ( "github.com/caos/logging" "github.com/golang/protobuf/ptypes" "google.golang.org/protobuf/encoding/protojson" + "google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/structpb" "github.com/caos/zitadel/internal/eventstore/models" @@ -59,6 +60,8 @@ func oidcConfigFromModel(config *proj_model.OIDCConfig) *management.OIDCConfig { AccessTokenType: oidcTokenTypeFromModel(config.AccessTokenType), AccessTokenRoleAssertion: config.AccessTokenRoleAssertion, IdTokenRoleAssertion: config.IDTokenRoleAssertion, + IdTokenUserinfoAssertion: config.IDTokenUserinfoAssertion, + ClockSkew: durationpb.New(config.ClockSkew), } } @@ -78,6 +81,8 @@ func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *manage AccessTokenType: oidcTokenTypeFromModel(app.AccessTokenType), AccessTokenRoleAssertion: app.AccessTokenRoleAssertion, IdTokenRoleAssertion: app.IDTokenRoleAssertion, + IdTokenUserinfoAssertion: app.IDTokenUserinfoAssertion, + ClockSkew: durationpb.New(app.ClockSkew), } } @@ -109,6 +114,8 @@ func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.App AccessTokenType: oidcTokenTypeToModel(app.AccessTokenType), AccessTokenRoleAssertion: app.AccessTokenRoleAssertion, IDTokenRoleAssertion: app.IdTokenRoleAssertion, + IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion, + ClockSkew: app.ClockSkew.AsDuration(), }, } } @@ -139,6 +146,8 @@ func oidcConfigUpdateToModel(app *management.OIDCConfigUpdate) *proj_model.OIDCC AccessTokenType: oidcTokenTypeToModel(app.AccessTokenType), AccessTokenRoleAssertion: app.AccessTokenRoleAssertion, IDTokenRoleAssertion: app.IdTokenRoleAssertion, + IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion, + ClockSkew: app.ClockSkew.AsDuration(), } } diff --git a/internal/api/oidc/client_converter.go b/internal/api/oidc/client_converter.go index 94eac96f76..a1d9153826 100644 --- a/internal/api/oidc/client_converter.go +++ b/internal/api/oidc/client_converter.go @@ -110,6 +110,14 @@ func (c *Client) IsScopeAllowed(scope string) bool { return false } +func (c *Client) ClockSkew() time.Duration { + return c.ApplicationView.ClockSkew +} + +func (c *Client) IDTokenUserinfoClaimsAssertion() bool { + return c.ApplicationView.IDTokenUserinfoAssertion +} + func accessTokenTypeToOIDC(tokenType model.OIDCTokenType) op.AccessTokenType { switch tokenType { case model.OIDCTokenTypeBearer: diff --git a/internal/project/model/application_view.go b/internal/project/model/application_view.go index e6c5d334c3..97fcb8a751 100644 --- a/internal/project/model/application_view.go +++ b/internal/project/model/application_view.go @@ -32,6 +32,8 @@ type ApplicationView struct { AccessTokenType OIDCTokenType IDTokenRoleAssertion bool AccessTokenRoleAssertion bool + IDTokenUserinfoAssertion bool + ClockSkew time.Duration Sequence uint64 } diff --git a/internal/project/model/oidc_config.go b/internal/project/model/oidc_config.go index 1f267c8f60..8c04b9fba5 100644 --- a/internal/project/model/oidc_config.go +++ b/internal/project/model/oidc_config.go @@ -3,6 +3,7 @@ package model import ( "fmt" "strings" + "time" "github.com/caos/logging" @@ -37,6 +38,8 @@ type OIDCConfig struct { AccessTokenType OIDCTokenType AccessTokenRoleAssertion bool IDTokenRoleAssertion bool + IDTokenUserinfoAssertion bool + ClockSkew time.Duration } type OIDCVersion int32 diff --git a/internal/project/repository/eventsourcing/model/oidc_config.go b/internal/project/repository/eventsourcing/model/oidc_config.go index 29360be1d5..c489742936 100644 --- a/internal/project/repository/eventsourcing/model/oidc_config.go +++ b/internal/project/repository/eventsourcing/model/oidc_config.go @@ -3,6 +3,7 @@ package model import ( "encoding/json" "reflect" + "time" "github.com/caos/logging" @@ -27,6 +28,8 @@ type OIDCConfig struct { AccessTokenType int32 `json:"accessTokenType,omitempty"` AccessTokenRoleAssertion bool `json:"accessTokenRoleAssertion,omitempty"` IDTokenRoleAssertion bool `json:"idTokenRoleAssertion,omitempty"` + IDTokenUserinfoAssertion bool `json:"idTokenUserinfoAssertion,omitempty"` + ClockSkew time.Duration `json:"clockSkew,omitempty"` } func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} { @@ -65,6 +68,12 @@ func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} { if c.IDTokenRoleAssertion != changed.IDTokenRoleAssertion { changes["idTokenRoleAssertion"] = changed.IDTokenRoleAssertion } + if c.IDTokenUserinfoAssertion != changed.IDTokenUserinfoAssertion { + changes["idTokenUserinfoAssertion"] = changed.IDTokenUserinfoAssertion + } + if c.ClockSkew != changed.ClockSkew { + changes["clockSkew"] = changed.ClockSkew + } return changes } @@ -93,6 +102,8 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig { AccessTokenType: int32(config.AccessTokenType), AccessTokenRoleAssertion: config.AccessTokenRoleAssertion, IDTokenRoleAssertion: config.IDTokenRoleAssertion, + IDTokenUserinfoAssertion: config.IDTokenUserinfoAssertion, + ClockSkew: config.ClockSkew, } } @@ -121,6 +132,8 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig { AccessTokenType: model.OIDCTokenType(config.AccessTokenType), AccessTokenRoleAssertion: config.AccessTokenRoleAssertion, IDTokenRoleAssertion: config.IDTokenRoleAssertion, + IDTokenUserinfoAssertion: config.IDTokenUserinfoAssertion, + ClockSkew: config.ClockSkew, } oidcConfig.FillCompliance() return oidcConfig diff --git a/internal/project/repository/view/model/application.go b/internal/project/repository/view/model/application.go index aa38c325fd..9cfa7d2684 100644 --- a/internal/project/repository/view/model/application.go +++ b/internal/project/repository/view/model/application.go @@ -48,6 +48,8 @@ type ApplicationView struct { AccessTokenType int32 `json:"accessTokenType" gorm:"column:access_token_type"` AccessTokenRoleAssertion bool `json:"accessTokenRoleAssertion" gorm:"column:access_token_role_assertion"` IDTokenRoleAssertion bool `json:"idTokenRoleAssertion" gorm:"column:id_token_role_assertion"` + IDTokenUserinfoAssertion bool `json:"idTokenUserinfoAssertion" gorm:"column:id_token_userinfo_assertion"` + ClockSkew time.Duration `json:"clockSkew" gorm:"column:clock_skew"` Sequence uint64 `json:"-" gorm:"sequence"` } @@ -80,6 +82,8 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView { AccessTokenType: model.OIDCTokenType(app.AccessTokenType), AccessTokenRoleAssertion: app.AccessTokenRoleAssertion, IDTokenRoleAssertion: app.IDTokenRoleAssertion, + IDTokenUserinfoAssertion: app.IDTokenUserinfoAssertion, + ClockSkew: app.ClockSkew, } } diff --git a/migrations/cockroach/V1.23__application_view.sql b/migrations/cockroach/V1.23__application_view.sql new file mode 100644 index 0000000000..47d87e8f80 --- /dev/null +++ b/migrations/cockroach/V1.23__application_view.sql @@ -0,0 +1,7 @@ +ALTER TABLE management.applications ADD COLUMN id_token_userinfo_assertion BOOLEAN; +ALTER TABLE auth.applications ADD COLUMN id_token_userinfo_assertion BOOLEAN; +ALTER TABLE authz.applications ADD COLUMN id_token_userinfo_assertion BOOLEAN; + +ALTER TABLE management.applications ADD COLUMN clock_skew BIGINT; +ALTER TABLE auth.applications ADD COLUMN clock_skew BIGINT; +ALTER TABLE authz.applications ADD COLUMN clock_skew BIGINT; diff --git a/pkg/grpc/management/proto/management.proto b/pkg/grpc/management/proto/management.proto index 52f76c0611..d4184d9eb4 100644 --- a/pkg/grpc/management/proto/management.proto +++ b/pkg/grpc/management/proto/management.proto @@ -4,6 +4,7 @@ import "google/api/annotations.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; +import "google/protobuf/duration.proto"; import "protoc-gen-swagger/options/annotations.proto"; import "validate/validate.proto"; import "authoption/options.proto"; @@ -69,7 +70,7 @@ service ManagementService { }; } -rpc GetUserByID(UserID) returns (UserView) { + rpc GetUserByID(UserID) returns (UserView) { option (google.api.http) = { get: "/users/{id}" }; @@ -1198,93 +1199,93 @@ rpc GetUserByID(UserID) returns (UserView) { }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "user.grant.delete" + permission: "user.grant.delete" }; } rpc IdpByID(IdpID) returns (IdpView) { option (google.api.http) = { - get: "/orgs/me/idps/{id}" + get: "/orgs/me/idps/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "org.idp.read" + permission: "org.idp.read" }; } rpc CreateOidcIdp(OidcIdpConfigCreate) returns (Idp) { option (google.api.http) = { - post: "/orgs/me/idps/oidc" - body: "*" + post: "/orgs/me/idps/oidc" + body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "org.idp.write" + permission: "org.idp.write" }; } rpc UpdateIdpConfig(IdpUpdate) returns (Idp) { option (google.api.http) = { - put: "/orgs/me/idps/{id}" - body: "*" + put: "/orgs/me/idps/{id}" + body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "org.idp.write" + permission: "org.idp.write" }; } rpc DeactivateIdpConfig(IdpID) returns (Idp) { option (google.api.http) = { - put: "/orgs/me/idps/{id}/_deactivate" - body: "*" + put: "/orgs/me/idps/{id}/_deactivate" + body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "org.idp.write" + permission: "org.idp.write" }; } rpc ReactivateIdpConfig(IdpID) returns (Idp) { option (google.api.http) = { - put: "/orgs/me/idps/{id}/_reactivate" - body: "*" + put: "/orgs/me/idps/{id}/_reactivate" + body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "org.idp.write" + permission: "org.idp.write" }; } rpc RemoveIdpConfig(IdpID) returns (google.protobuf.Empty) { option (google.api.http) = { - delete: "/orgs/me/idps/{id}" + delete: "/orgs/me/idps/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "org.idp.write" + permission: "org.idp.write" }; } rpc UpdateOidcIdpConfig(OidcIdpConfigUpdate) returns (OidcIdpConfig) { option (google.api.http) = { - put: "/orgs/me/idps/{idp_id}/oidcconfig" - body: "*" + put: "/orgs/me/idps/{idp_id}/oidcconfig" + body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "org.idp.write" + permission: "org.idp.write" }; } rpc SearchIdps(IdpSearchRequest) returns (IdpSearchResponse) { option (google.api.http) = { - post: "/orgs/me/idps/_search" - body: "*" + post: "/orgs/me/idps/_search" + body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "org.idp.read" + permission: "org.idp.read" }; } @@ -1374,64 +1375,64 @@ rpc GetUserByID(UserID) returns (UserView) { rpc GetLoginPolicySecondFactors(google.protobuf.Empty) returns (SecondFactorsResult) { option (google.api.http) = { - get: "/orgs/me/policies/login/secondfactors/_search" - }; + get: "/orgs/me/policies/login/secondfactors/_search" + }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "iam.policy.read" - }; + permission: "iam.policy.read" + }; } rpc AddSecondFactorToLoginPolicy(SecondFactor) returns (SecondFactor) { option (google.api.http) = { - post: "/orgs/me/policies/login/secondfactors" - body: "*" - }; + post: "/orgs/me/policies/login/secondfactors" + body: "*" + }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "iam.policy.write" - }; + permission: "iam.policy.write" + }; } rpc RemoveSecondFactorFromLoginPolicy(SecondFactor) returns (google.protobuf.Empty) { option (google.api.http) = { - delete: "/orgs/me/policies/login/secondfactors/{second_factor}" - }; + delete: "/orgs/me/policies/login/secondfactors/{second_factor}" + }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "iam.policy.write" - }; + permission: "iam.policy.write" + }; } rpc GetLoginPolicyMultiFactors(google.protobuf.Empty) returns (MultiFactorsResult) { option (google.api.http) = { - get: "/orgs/me/policies/login/multifactors/_search" - }; + get: "/orgs/me/policies/login/multifactors/_search" + }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "iam.policy.read" - }; + permission: "iam.policy.read" + }; } rpc AddMultiFactorToLoginPolicy(MultiFactor) returns (MultiFactor) { option (google.api.http) = { - post: "/orgs/me/policies/login/multifactors" - body: "*" - }; + post: "/orgs/me/policies/login/multifactors" + body: "*" + }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "iam.policy.write" - }; + permission: "iam.policy.write" + }; } rpc RemoveMultiFactorFromLoginPolicy(MultiFactor) returns (google.protobuf.Empty) { option (google.api.http) = { - delete: "/orgs/me/policies/login/multifactors/{multi_factor}" - }; + delete: "/orgs/me/policies/login/multifactors/{multi_factor}" + }; option (caos.zitadel.utils.v1.auth_option) = { - permission: "iam.policy.write" - }; + permission: "iam.policy.write" + }; } rpc GetPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicyView) { @@ -2000,7 +2001,7 @@ message UserAddress { google.protobuf.Timestamp change_date = 9; } -message UserAddressView { +message UserAddressView { string id = 1; string country = 2; string locality = 3; @@ -2510,6 +2511,8 @@ message OIDCConfig { OIDCTokenType access_token_type = 13; bool access_token_role_assertion = 14; bool id_token_role_assertion = 15; + bool id_token_userinfo_assertion = 16; + google.protobuf.Duration clock_skew = 17; } message OIDCApplicationCreate { @@ -2526,6 +2529,8 @@ message OIDCApplicationCreate { OIDCTokenType access_token_type = 11; bool access_token_role_assertion = 12; bool id_token_role_assertion = 13; + bool id_token_userinfo_assertion = 14; + google.protobuf.Duration clock_skew = 15 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}]; } enum OIDCVersion { @@ -2533,8 +2538,8 @@ enum OIDCVersion { } enum OIDCTokenType { - OIDCTokenType_Bearer = 0; - OIDCTokenType_JWT = 1; + OIDCTokenType_Bearer = 0; + OIDCTokenType_JWT = 1; } message OIDCConfigUpdate { @@ -2550,6 +2555,8 @@ message OIDCConfigUpdate { OIDCTokenType access_token_type = 10; bool access_token_role_assertion = 11; bool id_token_role_assertion = 12; + bool id_token_userinfo_assertion = 13; + google.protobuf.Duration clock_skew = 14 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}]; } enum OIDCResponseType { @@ -2931,35 +2938,35 @@ enum MemberType { } message IdpID { - string id = 1 [(validate.rules).string = {min_len: 1}]; + string id = 1 [(validate.rules).string = {min_len: 1}]; } message Idp { - string id = 1; - IdpState state = 2; - google.protobuf.Timestamp creation_date = 3; - google.protobuf.Timestamp change_date = 4; - string name = 5; - IdpStylingType styling_type = 6; - oneof idp_config { - OidcIdpConfig oidc_config = 7; - } - uint64 sequence = 8; + string id = 1; + IdpState state = 2; + google.protobuf.Timestamp creation_date = 3; + google.protobuf.Timestamp change_date = 4; + string name = 5; + IdpStylingType styling_type = 6; + oneof idp_config { + OidcIdpConfig oidc_config = 7; + } + uint64 sequence = 8; } message IdpUpdate { - string id = 1 [(validate.rules).string = {min_len: 1}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - IdpStylingType styling_type = 3; + string id = 1 [(validate.rules).string = {min_len: 1}]; + string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; + IdpStylingType styling_type = 3; } message OidcIdpConfig { - string client_id = 1; - string client_secret = 2; - string issuer = 3; - repeated string scopes = 4; - OIDCMappingField idp_display_name_mapping = 5; - OIDCMappingField username_mapping = 6; + string client_id = 1; + string client_secret = 2; + string issuer = 3; + repeated string scopes = 4; + OIDCMappingField idp_display_name_mapping = 5; + OIDCMappingField username_mapping = 6; } enum IdpStylingType { @@ -2968,9 +2975,9 @@ enum IdpStylingType { } enum IdpState { - IDPCONFIGSTATE_UNSPECIFIED = 0; - IDPCONFIGSTATE_ACTIVE = 1; - IDPCONFIGSTATE_INACTIVE = 2; + IDPCONFIGSTATE_UNSPECIFIED = 0; + IDPCONFIGSTATE_ACTIVE = 1; + IDPCONFIGSTATE_INACTIVE = 2; } enum OIDCMappingField { @@ -2980,83 +2987,83 @@ enum OIDCMappingField { } message OidcIdpConfigCreate { - string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - IdpStylingType styling_type = 2; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 6; - OIDCMappingField idp_display_name_mapping = 7; - OIDCMappingField username_mapping = 8; + string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; + IdpStylingType styling_type = 2; + string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; + repeated string scopes = 6; + OIDCMappingField idp_display_name_mapping = 7; + OIDCMappingField username_mapping = 8; } message OidcIdpConfigUpdate { - string idp_id = 1 [(validate.rules).string = {min_len: 1}]; - string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3; - string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 5; - OIDCMappingField idp_display_name_mapping = 6; - OIDCMappingField username_mapping = 7; + string idp_id = 1 [(validate.rules).string = {min_len: 1}]; + string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string client_secret = 3; + string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; + repeated string scopes = 5; + OIDCMappingField idp_display_name_mapping = 6; + OIDCMappingField username_mapping = 7; } message IdpSearchResponse { - uint64 offset = 1; - uint64 limit = 2; - uint64 total_result = 3; - repeated IdpView result = 4; - uint64 processed_sequence = 5; - google.protobuf.Timestamp view_timestamp = 6; + uint64 offset = 1; + uint64 limit = 2; + uint64 total_result = 3; + repeated IdpView result = 4; + uint64 processed_sequence = 5; + google.protobuf.Timestamp view_timestamp = 6; } message IdpView { - string id = 1; - IdpState state = 2; - google.protobuf.Timestamp creation_date = 3; - google.protobuf.Timestamp change_date = 4; - string name = 5; - IdpStylingType styling_type = 6; - IdpProviderType provider_type = 7; - oneof idp_config_view { - OidcIdpConfigView oidc_config = 8; - } - uint64 sequence = 9; + string id = 1; + IdpState state = 2; + google.protobuf.Timestamp creation_date = 3; + google.protobuf.Timestamp change_date = 4; + string name = 5; + IdpStylingType styling_type = 6; + IdpProviderType provider_type = 7; + oneof idp_config_view { + OidcIdpConfigView oidc_config = 8; + } + uint64 sequence = 9; } message OidcIdpConfigView { - string client_id = 1; - string issuer = 2; - repeated string scopes = 3; - OIDCMappingField idp_display_name_mapping = 4; - OIDCMappingField username_mapping = 5; + string client_id = 1; + string issuer = 2; + repeated string scopes = 3; + OIDCMappingField idp_display_name_mapping = 4; + OIDCMappingField username_mapping = 5; } message IdpSearchRequest { - uint64 offset = 1; - uint64 limit = 2; - repeated IdpSearchQuery queries = 3; + uint64 offset = 1; + uint64 limit = 2; + repeated IdpSearchQuery queries = 3; } message IdpSearchQuery { - IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; - SearchMethod method = 2; - string value = 3; + IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; + SearchMethod method = 2; + string value = 3; } enum IdpSearchKey { - IDPSEARCHKEY_UNSPECIFIED = 0; - IDPSEARCHKEY_IDP_CONFIG_ID = 1; - IDPSEARCHKEY_NAME = 2; - IDPSEARCHKEY_PROVIDER_TYPE = 3; + IDPSEARCHKEY_UNSPECIFIED = 0; + IDPSEARCHKEY_IDP_CONFIG_ID = 1; + IDPSEARCHKEY_NAME = 2; + IDPSEARCHKEY_PROVIDER_TYPE = 3; } message LoginPolicy { - bool allow_username_password = 1; - bool allow_register = 2; - bool allow_external_idp = 3; - google.protobuf.Timestamp creation_date = 4; - google.protobuf.Timestamp change_date = 5; - bool force_mfa = 6; + bool allow_username_password = 1; + bool allow_register = 2; + bool allow_external_idp = 3; + google.protobuf.Timestamp creation_date = 4; + google.protobuf.Timestamp change_date = 5; + bool force_mfa = 6; } message LoginPolicyRequest { @@ -3067,7 +3074,7 @@ message LoginPolicyRequest { } message IdpProviderID { - string idp_config_id = 1 [(validate.rules).string = {min_len: 1}]; + string idp_config_id = 1 [(validate.rules).string = {min_len: 1}]; } message IdpProviderAdd { @@ -3081,25 +3088,25 @@ message IdpProvider { } message LoginPolicyView { - bool default = 1; - bool allow_username_password = 2; - bool allow_register = 3; - bool allow_external_idp = 4; - google.protobuf.Timestamp creation_date = 5; - google.protobuf.Timestamp change_date = 6; - bool force_mfa = 7; + bool default = 1; + bool allow_username_password = 2; + bool allow_register = 3; + bool allow_external_idp = 4; + google.protobuf.Timestamp creation_date = 5; + google.protobuf.Timestamp change_date = 6; + bool force_mfa = 7; } message IdpProviderView { - string idp_config_id = 1; - string name = 2; - IdpType type = 3; + string idp_config_id = 1; + string name = 2; + IdpType type = 3; } enum IdpType { - IDPTYPE_UNSPECIFIED = 0; - IDPTYPE_OIDC = 1; - IDPTYPE_SAML = 2; + IDPTYPE_UNSPECIFIED = 0; + IDPTYPE_OIDC = 1; + IDPTYPE_SAML = 2; } enum IdpProviderType { @@ -3109,17 +3116,17 @@ enum IdpProviderType { } message IdpProviderSearchResponse { - uint64 offset = 1; - uint64 limit = 2; - uint64 total_result = 3; - repeated IdpProviderView result = 4; - uint64 processed_sequence = 5; - google.protobuf.Timestamp view_timestamp = 6; + uint64 offset = 1; + uint64 limit = 2; + uint64 total_result = 3; + repeated IdpProviderView result = 4; + uint64 processed_sequence = 5; + google.protobuf.Timestamp view_timestamp = 6; } message IdpProviderSearchRequest { - uint64 offset = 1; - uint64 limit = 2; + uint64 offset = 1; + uint64 limit = 2; } //ProjectType is deprecated, remove as soon as console is ready