TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-02-28 23:27:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(oidc): add clock skew and userinfo claims in ID Token (#1022)

Browse Source 
* feat: add clock skew

* add IDTokenUserinfoAssertion

* migration

* fix missing converter

* update oidc version

* fix interface impl
This commit is contained in:
Livio Amstutz 2020-11-27 14:10:52 +01:00 committed by GitHub
parent 2cd6da361a
commit 2331b8a4c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 221 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build/dockerfile
View File

@ -12,7 +12,7 @@ RUN wget -O protoc https://github.com/protocolbuffers/protobuf/releases/download
&& unzip protoc \ && unzip protoc \
&& wget -O bin/protoc-gen-grpc-web https://github.com/grpc/grpc-web/releases/download/1.2.0/protoc-gen-grpc-web-1.2.0-linux-x86_64 \ && wget -O bin/protoc-gen-grpc-web https://github.com/grpc/grpc-web/releases/download/1.2.0/protoc-gen-grpc-web-1.2.0-linux-x86_64 \
&& chmod +x bin/protoc-gen-grpc-web && chmod +x bin/protoc-gen-grpc-web
RUN curl https://raw.githubusercontent.com/envoyproxy/protoc-gen-validate/v0.4.0/validate/validate.proto --create-dirs -o validate/validate.proto \ RUN curl https://raw.githubusercontent.com/envoyproxy/protoc-gen-validate/v0.4.1/validate/validate.proto --create-dirs -o validate/validate.proto \
&& curl https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v1.14.6/protoc-gen-swagger/options/annotations.proto --create-dirs -o protoc-gen-swagger/options/annotations.proto \ && curl https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v1.14.6/protoc-gen-swagger/options/annotations.proto --create-dirs -o protoc-gen-swagger/options/annotations.proto \
&& curl https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v1.14.6/protoc-gen-swagger/options/openapiv2.proto --create-dirs -o protoc-gen-swagger/options/openapiv2.proto \ && curl https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v1.14.6/protoc-gen-swagger/options/openapiv2.proto --create-dirs -o protoc-gen-swagger/options/openapiv2.proto \
&& curl https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/annotations.proto --create-dirs -o google/api/annotations.proto \ && curl https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/annotations.proto --create-dirs -o google/api/annotations.proto \

4
go.mod
View File

@ -15,9 +15,9 @@ require (
github.com/allegro/bigcache v1.2.1 github.com/allegro/bigcache v1.2.1
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc
github.com/caos/logging v0.0.2 github.com/caos/logging v0.0.2
github.com/caos/oidc v0.12.5 github.com/caos/oidc v0.13.0
github.com/cockroachdb/cockroach-go/v2 v2.0.8 github.com/cockroachdb/cockroach-go/v2 v2.0.8
github.com/envoyproxy/protoc-gen-validate v0.1.0 github.com/envoyproxy/protoc-gen-validate v0.4.1
github.com/ghodss/yaml v1.0.0 github.com/ghodss/yaml v1.0.0
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
github.com/golang/mock v1.4.4 github.com/golang/mock v1.4.4

16
go.sum
View File

@ -86,8 +86,8 @@ github.com/caos/logging v0.0.2 h1:ebg5C/HN0ludYR+WkvnFjwSExF4wvyiWPyWGcKMYsoo=
github.com/caos/logging v0.0.2 h1:ebg5C/HN0ludYR+WkvnFjwSExF4wvyiWPyWGcKMYsoo= github.com/caos/logging v0.0.2 h1:ebg5C/HN0ludYR+WkvnFjwSExF4wvyiWPyWGcKMYsoo=
github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0= github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0=
github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0= github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0=
github.com/caos/oidc v0.12.5 h1:BN3iu6ZokOIbuoOkLRX/tAZPAfVoTXIkYflKmV156U8= github.com/caos/oidc v0.13.0 h1:l1IKrqV3HaS2TfseuC5kOR3DdEPfY9AbJXuZ7dsIEQo=
github.com/caos/oidc v0.12.5/go.mod h1:dLvfYUiAt9ORfl77L/KkcWuR/N0ll8Ry1nD2ERsamDY= github.com/caos/oidc v0.13.0/go.mod h1:dLvfYUiAt9ORfl77L/KkcWuR/N0ll8Ry1nD2ERsamDY=
github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk= github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@ -125,6 +125,8 @@ github.com/envoyproxy/go-control-plane v0.9.4 h1:rEvIZUSZ3fx39WIi3JkQqQBitGwpELB
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A= github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/envoyproxy/protoc-gen-validate v0.4.1 h1:7dLaJvASGRD7X49jSCSXXHwKPm0ZN9r9kJD+p+vS7dM=
github.com/envoyproxy/protoc-gen-validate v0.4.1/go.mod h1:E+IEazqdaWv3FrnGtZIu3b9fPFMK8AzeTTrk9SfVwWs=
github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y=
github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0= github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ= github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
@ -261,6 +263,8 @@ github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw= github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
github.com/iancoleman/strcase v0.0.0-20180726023541-3605ed457bf7 h1:ux/56T2xqZO/3cP1I2F86qpeoYPCOzk+KF/UH/Ar+lk=
github.com/iancoleman/strcase v0.0.0-20180726023541-3605ed457bf7/go.mod h1:SK73tn/9oHe+/Y0h39VT4UCxmurVJkR5NA7kMEAOgSE=
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 h1:UDMh68UUwekSh5iP2OMhRRZJiiBccgV7axzUG8vi56c= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 h1:UDMh68UUwekSh5iP2OMhRRZJiiBccgV7axzUG8vi56c=
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@ -339,6 +343,7 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s= github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 h1:T+h1c/A9Gawja4Y9mFVWj2vyii2bbUNDw3kt9VxK2EY= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 h1:T+h1c/A9Gawja4Y9mFVWj2vyii2bbUNDw3kt9VxK2EY=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
@ -355,6 +360,7 @@ github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/lib/pq v1.4.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.4.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/lib/pq v1.8.0 h1:9xohqzkUwzR4Ga4ivdTcawVS89YSDVxXMa3xJX3cGzg= github.com/lib/pq v1.8.0 h1:9xohqzkUwzR4Ga4ivdTcawVS89YSDVxXMa3xJX3cGzg=
github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
github.com/lyft/protoc-gen-star v0.5.1/go.mod h1:9toiA3cC7z5uVbODF7kEQ91Xn7XNFkVUl+SrEe+ZORU=
github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8= github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8=
@ -385,6 +391,7 @@ github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFSt
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok=
@ -417,6 +424,10 @@ github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
github.com/sony/sonyflake v1.0.0 h1:MpU6Ro7tfXwgn2l5eluf9xQvQJDROTBImNCfRXn/YeM= github.com/sony/sonyflake v1.0.0 h1:MpU6Ro7tfXwgn2l5eluf9xQvQJDROTBImNCfRXn/YeM=
github.com/sony/sonyflake v1.0.0/go.mod h1:Jv3cfhf/UFtolOTTRd3q4Nl6ENqM+KfyZ5PseKfZGF4= github.com/sony/sonyflake v1.0.0/go.mod h1:Jv3cfhf/UFtolOTTRd3q4Nl6ENqM+KfyZ5PseKfZGF4=
github.com/spf13/afero v1.3.3 h1:p5gZEKLYoL7wh8VrJesMaYeNxdEd1v3cb4irOk9zB54=
github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
github.com/spf13/afero v1.3.4 h1:8q6vk3hthlpb2SouZcnBVKboxWQWMDNF38bwholZrJc=
github.com/spf13/afero v1.3.4/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A= github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@ -690,6 +701,7 @@ golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWc
golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200701151220-7cb253f4c4f8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200701151220-7cb253f4c4f8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20200713011307-fd294ab11aed/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200713011307-fd294ab11aed/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=

9
internal/api/grpc/management/application_converter.go
View File

@ -6,6 +6,7 @@ import (
"github.com/caos/logging" "github.com/caos/logging"
"github.com/golang/protobuf/ptypes" "github.com/golang/protobuf/ptypes"
"google.golang.org/protobuf/encoding/protojson" "google.golang.org/protobuf/encoding/protojson"
"google.golang.org/protobuf/types/known/durationpb"
"google.golang.org/protobuf/types/known/structpb" "google.golang.org/protobuf/types/known/structpb"
"github.com/caos/zitadel/internal/eventstore/models" "github.com/caos/zitadel/internal/eventstore/models"
@ -59,6 +60,8 @@ func oidcConfigFromModel(config *proj_model.OIDCConfig) *management.OIDCConfig {
AccessTokenType: oidcTokenTypeFromModel(config.AccessTokenType), AccessTokenType: oidcTokenTypeFromModel(config.AccessTokenType),
AccessTokenRoleAssertion: config.AccessTokenRoleAssertion, AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
IdTokenRoleAssertion: config.IDTokenRoleAssertion, IdTokenRoleAssertion: config.IDTokenRoleAssertion,
IdTokenUserinfoAssertion: config.IDTokenUserinfoAssertion,
ClockSkew: durationpb.New(config.ClockSkew),
} }
} }
@ -78,6 +81,8 @@ func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *manage
AccessTokenType: oidcTokenTypeFromModel(app.AccessTokenType), AccessTokenType: oidcTokenTypeFromModel(app.AccessTokenType),
AccessTokenRoleAssertion: app.AccessTokenRoleAssertion, AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
IdTokenRoleAssertion: app.IDTokenRoleAssertion, IdTokenRoleAssertion: app.IDTokenRoleAssertion,
IdTokenUserinfoAssertion: app.IDTokenUserinfoAssertion,
ClockSkew: durationpb.New(app.ClockSkew),
} }
} }
@ -109,6 +114,8 @@ func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.App
AccessTokenType: oidcTokenTypeToModel(app.AccessTokenType), AccessTokenType: oidcTokenTypeToModel(app.AccessTokenType),
AccessTokenRoleAssertion: app.AccessTokenRoleAssertion, AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
IDTokenRoleAssertion: app.IdTokenRoleAssertion, IDTokenRoleAssertion: app.IdTokenRoleAssertion,
IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,
ClockSkew: app.ClockSkew.AsDuration(),
}, },
} }
} }
@ -139,6 +146,8 @@ func oidcConfigUpdateToModel(app *management.OIDCConfigUpdate) *proj_model.OIDCC
AccessTokenType: oidcTokenTypeToModel(app.AccessTokenType), AccessTokenType: oidcTokenTypeToModel(app.AccessTokenType),
AccessTokenRoleAssertion: app.AccessTokenRoleAssertion, AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
IDTokenRoleAssertion: app.IdTokenRoleAssertion, IDTokenRoleAssertion: app.IdTokenRoleAssertion,
IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,
ClockSkew: app.ClockSkew.AsDuration(),
} }
} }

8
internal/api/oidc/client_converter.go
View File

@ -110,6 +110,14 @@ func (c *Client) IsScopeAllowed(scope string) bool {
return false return false
} }
func (c *Client) ClockSkew() time.Duration {
return c.ApplicationView.ClockSkew
}
func (c *Client) IDTokenUserinfoClaimsAssertion() bool {
return c.ApplicationView.IDTokenUserinfoAssertion
}
func accessTokenTypeToOIDC(tokenType model.OIDCTokenType) op.AccessTokenType { func accessTokenTypeToOIDC(tokenType model.OIDCTokenType) op.AccessTokenType {
switch tokenType { switch tokenType {
case model.OIDCTokenTypeBearer: case model.OIDCTokenTypeBearer:

2
internal/project/model/application_view.go
View File

@ -32,6 +32,8 @@ type ApplicationView struct {
AccessTokenType OIDCTokenType AccessTokenType OIDCTokenType
IDTokenRoleAssertion bool IDTokenRoleAssertion bool
AccessTokenRoleAssertion bool AccessTokenRoleAssertion bool
IDTokenUserinfoAssertion bool
ClockSkew time.Duration
Sequence uint64 Sequence uint64
} }

3
internal/project/model/oidc_config.go
View File

@ -3,6 +3,7 @@ package model
import ( import (
"fmt" "fmt"
"strings" "strings"
"time"
"github.com/caos/logging" "github.com/caos/logging"
@ -37,6 +38,8 @@ type OIDCConfig struct {
AccessTokenType OIDCTokenType AccessTokenType OIDCTokenType
AccessTokenRoleAssertion bool AccessTokenRoleAssertion bool
IDTokenRoleAssertion bool IDTokenRoleAssertion bool
IDTokenUserinfoAssertion bool
ClockSkew time.Duration
} }
type OIDCVersion int32 type OIDCVersion int32

13
internal/project/repository/eventsourcing/model/oidc_config.go
View File

@ -3,6 +3,7 @@ package model
import ( import (
"encoding/json" "encoding/json"
"reflect" "reflect"
"time"
"github.com/caos/logging" "github.com/caos/logging"
@ -27,6 +28,8 @@ type OIDCConfig struct {
AccessTokenType int32 `json:"accessTokenType,omitempty"` AccessTokenType int32 `json:"accessTokenType,omitempty"`
AccessTokenRoleAssertion bool `json:"accessTokenRoleAssertion,omitempty"` AccessTokenRoleAssertion bool `json:"accessTokenRoleAssertion,omitempty"`
IDTokenRoleAssertion bool `json:"idTokenRoleAssertion,omitempty"` IDTokenRoleAssertion bool `json:"idTokenRoleAssertion,omitempty"`
IDTokenUserinfoAssertion bool `json:"idTokenUserinfoAssertion,omitempty"`
ClockSkew time.Duration `json:"clockSkew,omitempty"`
} }
func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} { func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
@ -65,6 +68,12 @@ func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
if c.IDTokenRoleAssertion != changed.IDTokenRoleAssertion { if c.IDTokenRoleAssertion != changed.IDTokenRoleAssertion {
changes["idTokenRoleAssertion"] = changed.IDTokenRoleAssertion changes["idTokenRoleAssertion"] = changed.IDTokenRoleAssertion
} }
if c.IDTokenUserinfoAssertion != changed.IDTokenUserinfoAssertion {
changes["idTokenUserinfoAssertion"] = changed.IDTokenUserinfoAssertion
}
if c.ClockSkew != changed.ClockSkew {
changes["clockSkew"] = changed.ClockSkew
}
return changes return changes
} }
@ -93,6 +102,8 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
AccessTokenType: int32(config.AccessTokenType), AccessTokenType: int32(config.AccessTokenType),
AccessTokenRoleAssertion: config.AccessTokenRoleAssertion, AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
IDTokenRoleAssertion: config.IDTokenRoleAssertion, IDTokenRoleAssertion: config.IDTokenRoleAssertion,
IDTokenUserinfoAssertion: config.IDTokenUserinfoAssertion,
ClockSkew: config.ClockSkew,
} }
} }
@ -121,6 +132,8 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
AccessTokenType: model.OIDCTokenType(config.AccessTokenType), AccessTokenType: model.OIDCTokenType(config.AccessTokenType),
AccessTokenRoleAssertion: config.AccessTokenRoleAssertion, AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
IDTokenRoleAssertion: config.IDTokenRoleAssertion, IDTokenRoleAssertion: config.IDTokenRoleAssertion,
IDTokenUserinfoAssertion: config.IDTokenUserinfoAssertion,
ClockSkew: config.ClockSkew,
} }
oidcConfig.FillCompliance() oidcConfig.FillCompliance()
return oidcConfig return oidcConfig

4
internal/project/repository/view/model/application.go
View File

@ -48,6 +48,8 @@ type ApplicationView struct {
AccessTokenType int32 `json:"accessTokenType" gorm:"column:access_token_type"` AccessTokenType int32 `json:"accessTokenType" gorm:"column:access_token_type"`
AccessTokenRoleAssertion bool `json:"accessTokenRoleAssertion" gorm:"column:access_token_role_assertion"` AccessTokenRoleAssertion bool `json:"accessTokenRoleAssertion" gorm:"column:access_token_role_assertion"`
IDTokenRoleAssertion bool `json:"idTokenRoleAssertion" gorm:"column:id_token_role_assertion"` IDTokenRoleAssertion bool `json:"idTokenRoleAssertion" gorm:"column:id_token_role_assertion"`
IDTokenUserinfoAssertion bool `json:"idTokenUserinfoAssertion" gorm:"column:id_token_userinfo_assertion"`
ClockSkew time.Duration `json:"clockSkew" gorm:"column:clock_skew"`
Sequence uint64 `json:"-" gorm:"sequence"` Sequence uint64 `json:"-" gorm:"sequence"`
} }
@ -80,6 +82,8 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
AccessTokenType: model.OIDCTokenType(app.AccessTokenType), AccessTokenType: model.OIDCTokenType(app.AccessTokenType),
AccessTokenRoleAssertion: app.AccessTokenRoleAssertion, AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
IDTokenRoleAssertion: app.IDTokenRoleAssertion, IDTokenRoleAssertion: app.IDTokenRoleAssertion,
IDTokenUserinfoAssertion: app.IDTokenUserinfoAssertion,
ClockSkew: app.ClockSkew,
} }
} }

7
migrations/cockroach/V1.23__application_view.sql Normal file
View File

@ -0,0 +1,7 @@
ALTER TABLE management.applications ADD COLUMN id_token_userinfo_assertion BOOLEAN;
ALTER TABLE auth.applications ADD COLUMN id_token_userinfo_assertion BOOLEAN;
ALTER TABLE authz.applications ADD COLUMN id_token_userinfo_assertion BOOLEAN;
ALTER TABLE management.applications ADD COLUMN clock_skew BIGINT;
ALTER TABLE auth.applications ADD COLUMN clock_skew BIGINT;
ALTER TABLE authz.applications ADD COLUMN clock_skew BIGINT;

307
pkg/grpc/management/proto/management.proto
View File

@ -4,6 +4,7 @@ import "google/api/annotations.proto";
import "google/protobuf/empty.proto"; import "google/protobuf/empty.proto";
import "google/protobuf/struct.proto"; import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto"; import "google/protobuf/timestamp.proto";
import "google/protobuf/duration.proto";
import "protoc-gen-swagger/options/annotations.proto"; import "protoc-gen-swagger/options/annotations.proto";
import "validate/validate.proto"; import "validate/validate.proto";
import "authoption/options.proto"; import "authoption/options.proto";
@ -69,7 +70,7 @@ service ManagementService {
}; };
} }
rpc GetUserByID(UserID) returns (UserView) { rpc GetUserByID(UserID) returns (UserView) {
option (google.api.http) = { option (google.api.http) = {
get: "/users/{id}" get: "/users/{id}"
}; };
@ -1198,93 +1199,93 @@ rpc GetUserByID(UserID) returns (UserView) {
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "user.grant.delete" permission: "user.grant.delete"
}; };
} }
rpc IdpByID(IdpID) returns (IdpView) { rpc IdpByID(IdpID) returns (IdpView) {
option (google.api.http) = { option (google.api.http) = {
get: "/orgs/me/idps/{id}" get: "/orgs/me/idps/{id}"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "org.idp.read" permission: "org.idp.read"
}; };
} }
rpc CreateOidcIdp(OidcIdpConfigCreate) returns (Idp) { rpc CreateOidcIdp(OidcIdpConfigCreate) returns (Idp) {
option (google.api.http) = { option (google.api.http) = {
post: "/orgs/me/idps/oidc" post: "/orgs/me/idps/oidc"
body: "*" body: "*"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "org.idp.write" permission: "org.idp.write"
}; };
} }
rpc UpdateIdpConfig(IdpUpdate) returns (Idp) { rpc UpdateIdpConfig(IdpUpdate) returns (Idp) {
option (google.api.http) = { option (google.api.http) = {
put: "/orgs/me/idps/{id}" put: "/orgs/me/idps/{id}"
body: "*" body: "*"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "org.idp.write" permission: "org.idp.write"
}; };
} }
rpc DeactivateIdpConfig(IdpID) returns (Idp) { rpc DeactivateIdpConfig(IdpID) returns (Idp) {
option (google.api.http) = { option (google.api.http) = {
put: "/orgs/me/idps/{id}/_deactivate" put: "/orgs/me/idps/{id}/_deactivate"
body: "*" body: "*"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "org.idp.write" permission: "org.idp.write"
}; };
} }
rpc ReactivateIdpConfig(IdpID) returns (Idp) { rpc ReactivateIdpConfig(IdpID) returns (Idp) {
option (google.api.http) = { option (google.api.http) = {
put: "/orgs/me/idps/{id}/_reactivate" put: "/orgs/me/idps/{id}/_reactivate"
body: "*" body: "*"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "org.idp.write" permission: "org.idp.write"
}; };
} }
rpc RemoveIdpConfig(IdpID) returns (google.protobuf.Empty) { rpc RemoveIdpConfig(IdpID) returns (google.protobuf.Empty) {
option (google.api.http) = { option (google.api.http) = {
delete: "/orgs/me/idps/{id}" delete: "/orgs/me/idps/{id}"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "org.idp.write" permission: "org.idp.write"
}; };
} }
rpc UpdateOidcIdpConfig(OidcIdpConfigUpdate) returns (OidcIdpConfig) { rpc UpdateOidcIdpConfig(OidcIdpConfigUpdate) returns (OidcIdpConfig) {
option (google.api.http) = { option (google.api.http) = {
put: "/orgs/me/idps/{idp_id}/oidcconfig" put: "/orgs/me/idps/{idp_id}/oidcconfig"
body: "*" body: "*"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "org.idp.write" permission: "org.idp.write"
}; };
} }
rpc SearchIdps(IdpSearchRequest) returns (IdpSearchResponse) { rpc SearchIdps(IdpSearchRequest) returns (IdpSearchResponse) {
option (google.api.http) = { option (google.api.http) = {
post: "/orgs/me/idps/_search" post: "/orgs/me/idps/_search"
body: "*" body: "*"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "org.idp.read" permission: "org.idp.read"
}; };
} }
@ -1374,64 +1375,64 @@ rpc GetUserByID(UserID) returns (UserView) {
rpc GetLoginPolicySecondFactors(google.protobuf.Empty) returns (SecondFactorsResult) { rpc GetLoginPolicySecondFactors(google.protobuf.Empty) returns (SecondFactorsResult) {
option (google.api.http) = { option (google.api.http) = {
get: "/orgs/me/policies/login/secondfactors/_search" get: "/orgs/me/policies/login/secondfactors/_search"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.read" permission: "iam.policy.read"
}; };
} }
rpc AddSecondFactorToLoginPolicy(SecondFactor) returns (SecondFactor) { rpc AddSecondFactorToLoginPolicy(SecondFactor) returns (SecondFactor) {
option (google.api.http) = { option (google.api.http) = {
post: "/orgs/me/policies/login/secondfactors" post: "/orgs/me/policies/login/secondfactors"
body: "*" body: "*"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.write" permission: "iam.policy.write"
}; };
} }
rpc RemoveSecondFactorFromLoginPolicy(SecondFactor) returns (google.protobuf.Empty) { rpc RemoveSecondFactorFromLoginPolicy(SecondFactor) returns (google.protobuf.Empty) {
option (google.api.http) = { option (google.api.http) = {
delete: "/orgs/me/policies/login/secondfactors/{second_factor}" delete: "/orgs/me/policies/login/secondfactors/{second_factor}"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.write" permission: "iam.policy.write"
}; };
} }
rpc GetLoginPolicyMultiFactors(google.protobuf.Empty) returns (MultiFactorsResult) { rpc GetLoginPolicyMultiFactors(google.protobuf.Empty) returns (MultiFactorsResult) {
option (google.api.http) = { option (google.api.http) = {
get: "/orgs/me/policies/login/multifactors/_search" get: "/orgs/me/policies/login/multifactors/_search"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.read" permission: "iam.policy.read"
}; };
} }
rpc AddMultiFactorToLoginPolicy(MultiFactor) returns (MultiFactor) { rpc AddMultiFactorToLoginPolicy(MultiFactor) returns (MultiFactor) {
option (google.api.http) = { option (google.api.http) = {
post: "/orgs/me/policies/login/multifactors" post: "/orgs/me/policies/login/multifactors"
body: "*" body: "*"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.write" permission: "iam.policy.write"
}; };
} }
rpc RemoveMultiFactorFromLoginPolicy(MultiFactor) returns (google.protobuf.Empty) { rpc RemoveMultiFactorFromLoginPolicy(MultiFactor) returns (google.protobuf.Empty) {
option (google.api.http) = { option (google.api.http) = {
delete: "/orgs/me/policies/login/multifactors/{multi_factor}" delete: "/orgs/me/policies/login/multifactors/{multi_factor}"
}; };
option (caos.zitadel.utils.v1.auth_option) = { option (caos.zitadel.utils.v1.auth_option) = {
permission: "iam.policy.write" permission: "iam.policy.write"
}; };
} }
rpc GetPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicyView) { rpc GetPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicyView) {
@ -2510,6 +2511,8 @@ message OIDCConfig {
OIDCTokenType access_token_type = 13; OIDCTokenType access_token_type = 13;
bool access_token_role_assertion = 14; bool access_token_role_assertion = 14;
bool id_token_role_assertion = 15; bool id_token_role_assertion = 15;
bool id_token_userinfo_assertion = 16;
google.protobuf.Duration clock_skew = 17;
} }
message OIDCApplicationCreate { message OIDCApplicationCreate {
@ -2526,6 +2529,8 @@ message OIDCApplicationCreate {
OIDCTokenType access_token_type = 11; OIDCTokenType access_token_type = 11;
bool access_token_role_assertion = 12; bool access_token_role_assertion = 12;
bool id_token_role_assertion = 13; bool id_token_role_assertion = 13;
bool id_token_userinfo_assertion = 14;
google.protobuf.Duration clock_skew = 15 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}];
} }
enum OIDCVersion { enum OIDCVersion {
@ -2533,8 +2538,8 @@ enum OIDCVersion {
} }
enum OIDCTokenType { enum OIDCTokenType {
OIDCTokenType_Bearer = 0; OIDCTokenType_Bearer = 0;
OIDCTokenType_JWT = 1; OIDCTokenType_JWT = 1;
} }
message OIDCConfigUpdate { message OIDCConfigUpdate {
@ -2550,6 +2555,8 @@ message OIDCConfigUpdate {
OIDCTokenType access_token_type = 10; OIDCTokenType access_token_type = 10;
bool access_token_role_assertion = 11; bool access_token_role_assertion = 11;
bool id_token_role_assertion = 12; bool id_token_role_assertion = 12;
bool id_token_userinfo_assertion = 13;
google.protobuf.Duration clock_skew = 14 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}];
} }
enum OIDCResponseType { enum OIDCResponseType {
@ -2931,35 +2938,35 @@ enum MemberType {
} }
message IdpID { message IdpID {
string id = 1 [(validate.rules).string = {min_len: 1}]; string id = 1 [(validate.rules).string = {min_len: 1}];
} }
message Idp { message Idp {
string id = 1; string id = 1;
IdpState state = 2; IdpState state = 2;
google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp creation_date = 3;
google.protobuf.Timestamp change_date = 4; google.protobuf.Timestamp change_date = 4;
string name = 5; string name = 5;
IdpStylingType styling_type = 6; IdpStylingType styling_type = 6;
oneof idp_config { oneof idp_config {
OidcIdpConfig oidc_config = 7; OidcIdpConfig oidc_config = 7;
} }
uint64 sequence = 8; uint64 sequence = 8;
} }
message IdpUpdate { message IdpUpdate {
string id = 1 [(validate.rules).string = {min_len: 1}]; string id = 1 [(validate.rules).string = {min_len: 1}];
string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
IdpStylingType styling_type = 3; IdpStylingType styling_type = 3;
} }
message OidcIdpConfig { message OidcIdpConfig {
string client_id = 1; string client_id = 1;
string client_secret = 2; string client_secret = 2;
string issuer = 3; string issuer = 3;
repeated string scopes = 4; repeated string scopes = 4;
OIDCMappingField idp_display_name_mapping = 5; OIDCMappingField idp_display_name_mapping = 5;
OIDCMappingField username_mapping = 6; OIDCMappingField username_mapping = 6;
} }
enum IdpStylingType { enum IdpStylingType {
@ -2968,9 +2975,9 @@ enum IdpStylingType {
} }
enum IdpState { enum IdpState {
IDPCONFIGSTATE_UNSPECIFIED = 0; IDPCONFIGSTATE_UNSPECIFIED = 0;
IDPCONFIGSTATE_ACTIVE = 1; IDPCONFIGSTATE_ACTIVE = 1;
IDPCONFIGSTATE_INACTIVE = 2; IDPCONFIGSTATE_INACTIVE = 2;
} }
enum OIDCMappingField { enum OIDCMappingField {
@ -2980,83 +2987,83 @@ enum OIDCMappingField {
} }
message OidcIdpConfigCreate { message OidcIdpConfigCreate {
string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
IdpStylingType styling_type = 2; IdpStylingType styling_type = 2;
string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
repeated string scopes = 6; repeated string scopes = 6;
OIDCMappingField idp_display_name_mapping = 7; OIDCMappingField idp_display_name_mapping = 7;
OIDCMappingField username_mapping = 8; OIDCMappingField username_mapping = 8;
} }
message OidcIdpConfigUpdate { message OidcIdpConfigUpdate {
string idp_id = 1 [(validate.rules).string = {min_len: 1}]; string idp_id = 1 [(validate.rules).string = {min_len: 1}];
string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
string client_secret = 3; string client_secret = 3;
string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
repeated string scopes = 5; repeated string scopes = 5;
OIDCMappingField idp_display_name_mapping = 6; OIDCMappingField idp_display_name_mapping = 6;
OIDCMappingField username_mapping = 7; OIDCMappingField username_mapping = 7;
} }
message IdpSearchResponse { message IdpSearchResponse {
uint64 offset = 1; uint64 offset = 1;
uint64 limit = 2; uint64 limit = 2;
uint64 total_result = 3; uint64 total_result = 3;
repeated IdpView result = 4; repeated IdpView result = 4;
uint64 processed_sequence = 5; uint64 processed_sequence = 5;
google.protobuf.Timestamp view_timestamp = 6; google.protobuf.Timestamp view_timestamp = 6;
} }
message IdpView { message IdpView {
string id = 1; string id = 1;
IdpState state = 2; IdpState state = 2;
google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp creation_date = 3;
google.protobuf.Timestamp change_date = 4; google.protobuf.Timestamp change_date = 4;
string name = 5; string name = 5;
IdpStylingType styling_type = 6; IdpStylingType styling_type = 6;
IdpProviderType provider_type = 7; IdpProviderType provider_type = 7;
oneof idp_config_view { oneof idp_config_view {
OidcIdpConfigView oidc_config = 8; OidcIdpConfigView oidc_config = 8;
} }
uint64 sequence = 9; uint64 sequence = 9;
} }
message OidcIdpConfigView { message OidcIdpConfigView {
string client_id = 1; string client_id = 1;
string issuer = 2; string issuer = 2;
repeated string scopes = 3; repeated string scopes = 3;
OIDCMappingField idp_display_name_mapping = 4; OIDCMappingField idp_display_name_mapping = 4;
OIDCMappingField username_mapping = 5; OIDCMappingField username_mapping = 5;
} }
message IdpSearchRequest { message IdpSearchRequest {
uint64 offset = 1; uint64 offset = 1;
uint64 limit = 2; uint64 limit = 2;
repeated IdpSearchQuery queries = 3; repeated IdpSearchQuery queries = 3;
} }
message IdpSearchQuery { message IdpSearchQuery {
IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
SearchMethod method = 2; SearchMethod method = 2;
string value = 3; string value = 3;
} }
enum IdpSearchKey { enum IdpSearchKey {
IDPSEARCHKEY_UNSPECIFIED = 0; IDPSEARCHKEY_UNSPECIFIED = 0;
IDPSEARCHKEY_IDP_CONFIG_ID = 1; IDPSEARCHKEY_IDP_CONFIG_ID = 1;
IDPSEARCHKEY_NAME = 2; IDPSEARCHKEY_NAME = 2;
IDPSEARCHKEY_PROVIDER_TYPE = 3; IDPSEARCHKEY_PROVIDER_TYPE = 3;
} }
message LoginPolicy { message LoginPolicy {
bool allow_username_password = 1; bool allow_username_password = 1;
bool allow_register = 2; bool allow_register = 2;
bool allow_external_idp = 3; bool allow_external_idp = 3;
google.protobuf.Timestamp creation_date = 4; google.protobuf.Timestamp creation_date = 4;
google.protobuf.Timestamp change_date = 5; google.protobuf.Timestamp change_date = 5;
bool force_mfa = 6; bool force_mfa = 6;
} }
message LoginPolicyRequest { message LoginPolicyRequest {
@ -3067,7 +3074,7 @@ message LoginPolicyRequest {
} }
message IdpProviderID { message IdpProviderID {
string idp_config_id = 1 [(validate.rules).string = {min_len: 1}]; string idp_config_id = 1 [(validate.rules).string = {min_len: 1}];
} }
message IdpProviderAdd { message IdpProviderAdd {
@ -3081,25 +3088,25 @@ message IdpProvider {
} }
message LoginPolicyView { message LoginPolicyView {
bool default = 1; bool default = 1;
bool allow_username_password = 2; bool allow_username_password = 2;
bool allow_register = 3; bool allow_register = 3;
bool allow_external_idp = 4; bool allow_external_idp = 4;
google.protobuf.Timestamp creation_date = 5; google.protobuf.Timestamp creation_date = 5;
google.protobuf.Timestamp change_date = 6; google.protobuf.Timestamp change_date = 6;
bool force_mfa = 7; bool force_mfa = 7;
} }
message IdpProviderView { message IdpProviderView {
string idp_config_id = 1; string idp_config_id = 1;
string name = 2; string name = 2;
IdpType type = 3; IdpType type = 3;
} }
enum IdpType { enum IdpType {
IDPTYPE_UNSPECIFIED = 0; IDPTYPE_UNSPECIFIED = 0;
IDPTYPE_OIDC = 1; IDPTYPE_OIDC = 1;
IDPTYPE_SAML = 2; IDPTYPE_SAML = 2;
} }
enum IdpProviderType { enum IdpProviderType {
@ -3109,17 +3116,17 @@ enum IdpProviderType {
} }
message IdpProviderSearchResponse { message IdpProviderSearchResponse {
uint64 offset = 1; uint64 offset = 1;
uint64 limit = 2; uint64 limit = 2;
uint64 total_result = 3; uint64 total_result = 3;
repeated IdpProviderView result = 4; repeated IdpProviderView result = 4;
uint64 processed_sequence = 5; uint64 processed_sequence = 5;
google.protobuf.Timestamp view_timestamp = 6; google.protobuf.Timestamp view_timestamp = 6;
} }
message IdpProviderSearchRequest { message IdpProviderSearchRequest {
uint64 offset = 1; uint64 offset = 1;
uint64 limit = 2; uint64 limit = 2;
} }
//ProjectType is deprecated, remove as soon as console is ready //ProjectType is deprecated, remove as soon as console is ready