feat(oidc): add clock skew and userinfo claims in ID Token (#1022)

* feat: add clock skew * add IDTokenUserinfoAssertion * migration * fix missing converter * update oidc version * fix interface impl
2025-08-11 21:37:32 +00:00 · 2020-11-27 14:10:52 +01:00
parent 2cd6da361a
commit 2331b8a4c0
11 changed files with 221 additions and 156 deletions
--- a/internal/project/repository/eventsourcing/model/oidc_config.go
+++ b/internal/project/repository/eventsourcing/model/oidc_config.go
@@ -3,6 +3,7 @@ package model
 import (
 	"encoding/json"
 	"reflect"
+	"time"

 	"github.com/caos/logging"

@@ -27,6 +28,8 @@ type OIDCConfig struct {
 	AccessTokenType          int32               `json:"accessTokenType,omitempty"`
 	AccessTokenRoleAssertion bool                `json:"accessTokenRoleAssertion,omitempty"`
 	IDTokenRoleAssertion     bool                `json:"idTokenRoleAssertion,omitempty"`
+	IDTokenUserinfoAssertion bool                `json:"idTokenUserinfoAssertion,omitempty"`
+	ClockSkew                time.Duration       `json:"clockSkew,omitempty"`
 }

 func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
@@ -65,6 +68,12 @@ func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
 	if c.IDTokenRoleAssertion != changed.IDTokenRoleAssertion {
 		changes["idTokenRoleAssertion"] = changed.IDTokenRoleAssertion
 	}
+	if c.IDTokenUserinfoAssertion != changed.IDTokenUserinfoAssertion {
+		changes["idTokenUserinfoAssertion"] = changed.IDTokenUserinfoAssertion
+	}
+	if c.ClockSkew != changed.ClockSkew {
+		changes["clockSkew"] = changed.ClockSkew
+	}
 	return changes
 }

@@ -93,6 +102,8 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
 		AccessTokenType:          int32(config.AccessTokenType),
 		AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
 		IDTokenRoleAssertion:     config.IDTokenRoleAssertion,
+		IDTokenUserinfoAssertion: config.IDTokenUserinfoAssertion,
+		ClockSkew:                config.ClockSkew,
 	}
 }

@@ -121,6 +132,8 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
 		AccessTokenType:          model.OIDCTokenType(config.AccessTokenType),
 		AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
 		IDTokenRoleAssertion:     config.IDTokenRoleAssertion,
+		IDTokenUserinfoAssertion: config.IDTokenUserinfoAssertion,
+		ClockSkew:                config.ClockSkew,
 	}
 	oidcConfig.FillCompliance()
 	return oidcConfig
--- a/internal/project/repository/view/model/application.go
+++ b/internal/project/repository/view/model/application.go
@@ -48,6 +48,8 @@ type ApplicationView struct {
 	AccessTokenType            int32          `json:"accessTokenType" gorm:"column:access_token_type"`
 	AccessTokenRoleAssertion   bool           `json:"accessTokenRoleAssertion" gorm:"column:access_token_role_assertion"`
 	IDTokenRoleAssertion       bool           `json:"idTokenRoleAssertion" gorm:"column:id_token_role_assertion"`
+	IDTokenUserinfoAssertion   bool           `json:"idTokenUserinfoAssertion" gorm:"column:id_token_userinfo_assertion"`
+	ClockSkew                  time.Duration  `json:"clockSkew" gorm:"column:clock_skew"`

 	Sequence uint64 `json:"-" gorm:"sequence"`
 }
@@ -80,6 +82,8 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
 		AccessTokenType:            model.OIDCTokenType(app.AccessTokenType),
 		AccessTokenRoleAssertion:   app.AccessTokenRoleAssertion,
 		IDTokenRoleAssertion:       app.IDTokenRoleAssertion,
+		IDTokenUserinfoAssertion:   app.IDTokenUserinfoAssertion,
+		ClockSkew:                  app.ClockSkew,
 	}
 }