feat(oidc): add clock skew and userinfo claims in ID Token (#1022)

* feat: add clock skew * add IDTokenUserinfoAssertion * migration * fix missing converter * update oidc version * fix interface impl
2025-08-12 08:07:32 +00:00 · 2020-11-27 14:10:52 +01:00
parent 2cd6da361a
commit 2331b8a4c0
11 changed files with 221 additions and 156 deletions
--- a/internal/api/grpc/management/application_converter.go
+++ b/internal/api/grpc/management/application_converter.go
@@ -6,6 +6,7 @@ import (
 	"github.com/caos/logging"
 	"github.com/golang/protobuf/ptypes"
 	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/structpb"

 	"github.com/caos/zitadel/internal/eventstore/models"
@@ -59,6 +60,8 @@ func oidcConfigFromModel(config *proj_model.OIDCConfig) *management.OIDCConfig {
 		AccessTokenType:          oidcTokenTypeFromModel(config.AccessTokenType),
 		AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
 		IdTokenRoleAssertion:     config.IDTokenRoleAssertion,
+		IdTokenUserinfoAssertion: config.IDTokenUserinfoAssertion,
+		ClockSkew:                durationpb.New(config.ClockSkew),
 	}
 }

@@ -78,6 +81,8 @@ func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *manage
 		AccessTokenType:          oidcTokenTypeFromModel(app.AccessTokenType),
 		AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
 		IdTokenRoleAssertion:     app.IDTokenRoleAssertion,
+		IdTokenUserinfoAssertion: app.IDTokenUserinfoAssertion,
+		ClockSkew:                durationpb.New(app.ClockSkew),
 	}
 }

@@ -109,6 +114,8 @@ func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.App
 			AccessTokenType:          oidcTokenTypeToModel(app.AccessTokenType),
 			AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
 			IDTokenRoleAssertion:     app.IdTokenRoleAssertion,
+			IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,
+			ClockSkew:                app.ClockSkew.AsDuration(),
 		},
 	}
 }
@@ -139,6 +146,8 @@ func oidcConfigUpdateToModel(app *management.OIDCConfigUpdate) *proj_model.OIDCC
 		AccessTokenType:          oidcTokenTypeToModel(app.AccessTokenType),
 		AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
 		IDTokenRoleAssertion:     app.IdTokenRoleAssertion,
+		IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,
+		ClockSkew:                app.ClockSkew.AsDuration(),
 	}
 }

--- a/internal/api/oidc/client_converter.go
+++ b/internal/api/oidc/client_converter.go
@@ -110,6 +110,14 @@ func (c *Client) IsScopeAllowed(scope string) bool {
 	return false
 }

+func (c *Client) ClockSkew() time.Duration {
+	return c.ApplicationView.ClockSkew
+}
+
+func (c *Client) IDTokenUserinfoClaimsAssertion() bool {
+	return c.ApplicationView.IDTokenUserinfoAssertion
+}
+
 func accessTokenTypeToOIDC(tokenType model.OIDCTokenType) op.AccessTokenType {
 	switch tokenType {
 	case model.OIDCTokenTypeBearer:
--- a/internal/project/model/application_view.go
+++ b/internal/project/model/application_view.go
@@ -32,6 +32,8 @@ type ApplicationView struct {
 	AccessTokenType            OIDCTokenType
 	IDTokenRoleAssertion       bool
 	AccessTokenRoleAssertion   bool
+	IDTokenUserinfoAssertion   bool
+	ClockSkew                  time.Duration

 	Sequence uint64
 }
--- a/internal/project/model/oidc_config.go
+++ b/internal/project/model/oidc_config.go
@@ -3,6 +3,7 @@ package model
 import (
 	"fmt"
 	"strings"
+	"time"

 	"github.com/caos/logging"

@@ -37,6 +38,8 @@ type OIDCConfig struct {
 	AccessTokenType          OIDCTokenType
 	AccessTokenRoleAssertion bool
 	IDTokenRoleAssertion     bool
+	IDTokenUserinfoAssertion bool
+	ClockSkew                time.Duration
 }

 type OIDCVersion int32
--- a/internal/project/repository/eventsourcing/model/oidc_config.go
+++ b/internal/project/repository/eventsourcing/model/oidc_config.go
@@ -3,6 +3,7 @@ package model
 import (
 	"encoding/json"
 	"reflect"
+	"time"

 	"github.com/caos/logging"

@@ -27,6 +28,8 @@ type OIDCConfig struct {
 	AccessTokenType          int32               `json:"accessTokenType,omitempty"`
 	AccessTokenRoleAssertion bool                `json:"accessTokenRoleAssertion,omitempty"`
 	IDTokenRoleAssertion     bool                `json:"idTokenRoleAssertion,omitempty"`
+	IDTokenUserinfoAssertion bool                `json:"idTokenUserinfoAssertion,omitempty"`
+	ClockSkew                time.Duration       `json:"clockSkew,omitempty"`
 }

 func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
@@ -65,6 +68,12 @@ func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
 	if c.IDTokenRoleAssertion != changed.IDTokenRoleAssertion {
 		changes["idTokenRoleAssertion"] = changed.IDTokenRoleAssertion
 	}
+	if c.IDTokenUserinfoAssertion != changed.IDTokenUserinfoAssertion {
+		changes["idTokenUserinfoAssertion"] = changed.IDTokenUserinfoAssertion
+	}
+	if c.ClockSkew != changed.ClockSkew {
+		changes["clockSkew"] = changed.ClockSkew
+	}
 	return changes
 }

@@ -93,6 +102,8 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
 		AccessTokenType:          int32(config.AccessTokenType),
 		AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
 		IDTokenRoleAssertion:     config.IDTokenRoleAssertion,
+		IDTokenUserinfoAssertion: config.IDTokenUserinfoAssertion,
+		ClockSkew:                config.ClockSkew,
 	}
 }

@@ -121,6 +132,8 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
 		AccessTokenType:          model.OIDCTokenType(config.AccessTokenType),
 		AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
 		IDTokenRoleAssertion:     config.IDTokenRoleAssertion,
+		IDTokenUserinfoAssertion: config.IDTokenUserinfoAssertion,
+		ClockSkew:                config.ClockSkew,
 	}
 	oidcConfig.FillCompliance()
 	return oidcConfig
--- a/internal/project/repository/view/model/application.go
+++ b/internal/project/repository/view/model/application.go
@@ -48,6 +48,8 @@ type ApplicationView struct {
 	AccessTokenType            int32          `json:"accessTokenType" gorm:"column:access_token_type"`
 	AccessTokenRoleAssertion   bool           `json:"accessTokenRoleAssertion" gorm:"column:access_token_role_assertion"`
 	IDTokenRoleAssertion       bool           `json:"idTokenRoleAssertion" gorm:"column:id_token_role_assertion"`
+	IDTokenUserinfoAssertion   bool           `json:"idTokenUserinfoAssertion" gorm:"column:id_token_userinfo_assertion"`
+	ClockSkew                  time.Duration  `json:"clockSkew" gorm:"column:clock_skew"`

 	Sequence uint64 `json:"-" gorm:"sequence"`
 }
@@ -80,6 +82,8 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
 		AccessTokenType:            model.OIDCTokenType(app.AccessTokenType),
 		AccessTokenRoleAssertion:   app.AccessTokenRoleAssertion,
 		IDTokenRoleAssertion:       app.IDTokenRoleAssertion,
+		IDTokenUserinfoAssertion:   app.IDTokenUserinfoAssertion,
+		ClockSkew:                  app.ClockSkew,
 	}
 }