feat(oidc): add clock skew and userinfo claims in ID Token (#1022)

* feat: add clock skew * add IDTokenUserinfoAssertion * migration * fix missing converter * update oidc version * fix interface impl
2025-02-28 19:17:24 +00:00 · 2020-11-27 14:10:52 +01:00 · 2020-11-27 14:10:52 +01:00 · 2331b8a4c0
commit 2331b8a4c0
parent 2cd6da361a
11 changed files with 221 additions and 156 deletions
--- a/build/dockerfile
+++ b/build/dockerfile
@ -12,7 +12,7 @@ RUN wget -O protoc https://github.com/protocolbuffers/protobuf/releases/download
    && unzip protoc \
    && wget -O bin/protoc-gen-grpc-web https://github.com/grpc/grpc-web/releases/download/1.2.0/protoc-gen-grpc-web-1.2.0-linux-x86_64 \
    && chmod +x bin/protoc-gen-grpc-web
-RUN curl https://raw.githubusercontent.com/envoyproxy/protoc-gen-validate/v0.4.0/validate/validate.proto --create-dirs -o validate/validate.proto  \
+RUN curl https://raw.githubusercontent.com/envoyproxy/protoc-gen-validate/v0.4.1/validate/validate.proto --create-dirs -o validate/validate.proto  \
    && curl https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v1.14.6/protoc-gen-swagger/options/annotations.proto --create-dirs -o protoc-gen-swagger/options/annotations.proto \
    && curl https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v1.14.6/protoc-gen-swagger/options/openapiv2.proto --create-dirs -o protoc-gen-swagger/options/openapiv2.proto \
    && curl https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/annotations.proto --create-dirs -o google/api/annotations.proto \
--- a/go.mod
+++ b/go.mod
@ -15,9 +15,9 @@ require (
 	github.com/allegro/bigcache v1.2.1
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc
 	github.com/caos/logging v0.0.2
-	github.com/caos/oidc v0.12.5
+	github.com/caos/oidc v0.13.0
 	github.com/cockroachdb/cockroach-go/v2 v2.0.8
-	github.com/envoyproxy/protoc-gen-validate v0.1.0
+	github.com/envoyproxy/protoc-gen-validate v0.4.1
 	github.com/ghodss/yaml v1.0.0
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/golang/mock v1.4.4
--- a/go.sum
+++ b/go.sum
@ -86,8 +86,8 @@ github.com/caos/logging v0.0.2 h1:ebg5C/HN0ludYR+WkvnFjwSExF4wvyiWPyWGcKMYsoo=
 github.com/caos/logging v0.0.2 h1:ebg5C/HN0ludYR+WkvnFjwSExF4wvyiWPyWGcKMYsoo=
 github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0=
 github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0=
-github.com/caos/oidc v0.12.5 h1:BN3iu6ZokOIbuoOkLRX/tAZPAfVoTXIkYflKmV156U8=
-github.com/caos/oidc v0.12.5/go.mod h1:dLvfYUiAt9ORfl77L/KkcWuR/N0ll8Ry1nD2ERsamDY=
+github.com/caos/oidc v0.13.0 h1:l1IKrqV3HaS2TfseuC5kOR3DdEPfY9AbJXuZ7dsIEQo=
+github.com/caos/oidc v0.13.0/go.mod h1:dLvfYUiAt9ORfl77L/KkcWuR/N0ll8Ry1nD2ERsamDY=
 github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@ -125,6 +125,8 @@ github.com/envoyproxy/go-control-plane v0.9.4 h1:rEvIZUSZ3fx39WIi3JkQqQBitGwpELB
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/envoyproxy/protoc-gen-validate v0.4.1 h1:7dLaJvASGRD7X49jSCSXXHwKPm0ZN9r9kJD+p+vS7dM=
+github.com/envoyproxy/protoc-gen-validate v0.4.1/go.mod h1:E+IEazqdaWv3FrnGtZIu3b9fPFMK8AzeTTrk9SfVwWs=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
 github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
@ -261,6 +263,8 @@ github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
 github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/iancoleman/strcase v0.0.0-20180726023541-3605ed457bf7 h1:ux/56T2xqZO/3cP1I2F86qpeoYPCOzk+KF/UH/Ar+lk=
+github.com/iancoleman/strcase v0.0.0-20180726023541-3605ed457bf7/go.mod h1:SK73tn/9oHe+/Y0h39VT4UCxmurVJkR5NA7kMEAOgSE=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 h1:UDMh68UUwekSh5iP2OMhRRZJiiBccgV7axzUG8vi56c=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@ -339,6 +343,7 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 h1:T+h1c/A9Gawja4Y9mFVWj2vyii2bbUNDw3kt9VxK2EY=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
@ -355,6 +360,7 @@ github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.4.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.8.0 h1:9xohqzkUwzR4Ga4ivdTcawVS89YSDVxXMa3xJX3cGzg=
 github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lyft/protoc-gen-star v0.5.1/go.mod h1:9toiA3cC7z5uVbODF7kEQ91Xn7XNFkVUl+SrEe+ZORU=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8=
@ -385,6 +391,7 @@ github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFSt
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok=
@ -417,6 +424,10 @@ github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sony/sonyflake v1.0.0 h1:MpU6Ro7tfXwgn2l5eluf9xQvQJDROTBImNCfRXn/YeM=
 github.com/sony/sonyflake v1.0.0/go.mod h1:Jv3cfhf/UFtolOTTRd3q4Nl6ENqM+KfyZ5PseKfZGF4=
+github.com/spf13/afero v1.3.3 h1:p5gZEKLYoL7wh8VrJesMaYeNxdEd1v3cb4irOk9zB54=
+github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
+github.com/spf13/afero v1.3.4 h1:8q6vk3hthlpb2SouZcnBVKboxWQWMDNF38bwholZrJc=
+github.com/spf13/afero v1.3.4/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@ -690,6 +701,7 @@ golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWc
 golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200701151220-7cb253f4c4f8/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20200713011307-fd294ab11aed/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
--- a/internal/api/grpc/management/application_converter.go
+++ b/internal/api/grpc/management/application_converter.go
@ -6,6 +6,7 @@ import (
 	"github.com/caos/logging"
 	"github.com/golang/protobuf/ptypes"
 	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/structpb"

 	"github.com/caos/zitadel/internal/eventstore/models"
@ -59,6 +60,8 @@ func oidcConfigFromModel(config *proj_model.OIDCConfig) *management.OIDCConfig {
 		AccessTokenType:          oidcTokenTypeFromModel(config.AccessTokenType),
 		AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
 		IdTokenRoleAssertion:     config.IDTokenRoleAssertion,
+		IdTokenUserinfoAssertion: config.IDTokenUserinfoAssertion,
+		ClockSkew:                durationpb.New(config.ClockSkew),
 	}
 }

@ -78,6 +81,8 @@ func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *manage
 		AccessTokenType:          oidcTokenTypeFromModel(app.AccessTokenType),
 		AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
 		IdTokenRoleAssertion:     app.IDTokenRoleAssertion,
+		IdTokenUserinfoAssertion: app.IDTokenUserinfoAssertion,
+		ClockSkew:                durationpb.New(app.ClockSkew),
 	}
 }

@ -109,6 +114,8 @@ func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.App
 			AccessTokenType:          oidcTokenTypeToModel(app.AccessTokenType),
 			AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
 			IDTokenRoleAssertion:     app.IdTokenRoleAssertion,
+			IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,
+			ClockSkew:                app.ClockSkew.AsDuration(),
 		},
 	}
 }
@ -139,6 +146,8 @@ func oidcConfigUpdateToModel(app *management.OIDCConfigUpdate) *proj_model.OIDCC
 		AccessTokenType:          oidcTokenTypeToModel(app.AccessTokenType),
 		AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
 		IDTokenRoleAssertion:     app.IdTokenRoleAssertion,
+		IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,
+		ClockSkew:                app.ClockSkew.AsDuration(),
 	}
 }

--- a/internal/api/oidc/client_converter.go
+++ b/internal/api/oidc/client_converter.go
@ -110,6 +110,14 @@ func (c *Client) IsScopeAllowed(scope string) bool {
 	return false
 }

+func (c *Client) ClockSkew() time.Duration {
+	return c.ApplicationView.ClockSkew
+}
+
+func (c *Client) IDTokenUserinfoClaimsAssertion() bool {
+	return c.ApplicationView.IDTokenUserinfoAssertion
+}
+
 func accessTokenTypeToOIDC(tokenType model.OIDCTokenType) op.AccessTokenType {
 	switch tokenType {
 	case model.OIDCTokenTypeBearer:
--- a/internal/project/model/application_view.go
+++ b/internal/project/model/application_view.go
@ -32,6 +32,8 @@ type ApplicationView struct {
 	AccessTokenType            OIDCTokenType
 	IDTokenRoleAssertion       bool
 	AccessTokenRoleAssertion   bool
+	IDTokenUserinfoAssertion   bool
+	ClockSkew                  time.Duration

 	Sequence uint64
 }
--- a/internal/project/model/oidc_config.go
+++ b/internal/project/model/oidc_config.go
@ -3,6 +3,7 @@ package model
 import (
 	"fmt"
 	"strings"
+	"time"

 	"github.com/caos/logging"

@ -37,6 +38,8 @@ type OIDCConfig struct {
 	AccessTokenType          OIDCTokenType
 	AccessTokenRoleAssertion bool
 	IDTokenRoleAssertion     bool
+	IDTokenUserinfoAssertion bool
+	ClockSkew                time.Duration
 }

 type OIDCVersion int32
--- a/internal/project/repository/eventsourcing/model/oidc_config.go
+++ b/internal/project/repository/eventsourcing/model/oidc_config.go
@ -3,6 +3,7 @@ package model
 import (
 	"encoding/json"
 	"reflect"
+	"time"

 	"github.com/caos/logging"

@ -27,6 +28,8 @@ type OIDCConfig struct {
 	AccessTokenType          int32               `json:"accessTokenType,omitempty"`
 	AccessTokenRoleAssertion bool                `json:"accessTokenRoleAssertion,omitempty"`
 	IDTokenRoleAssertion     bool                `json:"idTokenRoleAssertion,omitempty"`
+	IDTokenUserinfoAssertion bool                `json:"idTokenUserinfoAssertion,omitempty"`
+	ClockSkew                time.Duration       `json:"clockSkew,omitempty"`
 }

 func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
@ -65,6 +68,12 @@ func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
 	if c.IDTokenRoleAssertion != changed.IDTokenRoleAssertion {
 		changes["idTokenRoleAssertion"] = changed.IDTokenRoleAssertion
 	}
+	if c.IDTokenUserinfoAssertion != changed.IDTokenUserinfoAssertion {
+		changes["idTokenUserinfoAssertion"] = changed.IDTokenUserinfoAssertion
+	}
+	if c.ClockSkew != changed.ClockSkew {
+		changes["clockSkew"] = changed.ClockSkew
+	}
 	return changes
 }

@ -93,6 +102,8 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
 		AccessTokenType:          int32(config.AccessTokenType),
 		AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
 		IDTokenRoleAssertion:     config.IDTokenRoleAssertion,
+		IDTokenUserinfoAssertion: config.IDTokenUserinfoAssertion,
+		ClockSkew:                config.ClockSkew,
 	}
 }

@ -121,6 +132,8 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
 		AccessTokenType:          model.OIDCTokenType(config.AccessTokenType),
 		AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
 		IDTokenRoleAssertion:     config.IDTokenRoleAssertion,
+		IDTokenUserinfoAssertion: config.IDTokenUserinfoAssertion,
+		ClockSkew:                config.ClockSkew,
 	}
 	oidcConfig.FillCompliance()
 	return oidcConfig
--- a/internal/project/repository/view/model/application.go
+++ b/internal/project/repository/view/model/application.go
@ -48,6 +48,8 @@ type ApplicationView struct {
 	AccessTokenType            int32          `json:"accessTokenType" gorm:"column:access_token_type"`
 	AccessTokenRoleAssertion   bool           `json:"accessTokenRoleAssertion" gorm:"column:access_token_role_assertion"`
 	IDTokenRoleAssertion       bool           `json:"idTokenRoleAssertion" gorm:"column:id_token_role_assertion"`
+	IDTokenUserinfoAssertion   bool           `json:"idTokenUserinfoAssertion" gorm:"column:id_token_userinfo_assertion"`
+	ClockSkew                  time.Duration  `json:"clockSkew" gorm:"column:clock_skew"`

 	Sequence uint64 `json:"-" gorm:"sequence"`
 }
@ -80,6 +82,8 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
 		AccessTokenType:            model.OIDCTokenType(app.AccessTokenType),
 		AccessTokenRoleAssertion:   app.AccessTokenRoleAssertion,
 		IDTokenRoleAssertion:       app.IDTokenRoleAssertion,
+		IDTokenUserinfoAssertion:   app.IDTokenUserinfoAssertion,
+		ClockSkew:                  app.ClockSkew,
 	}
 }

--- a/migrations/cockroach/V1.23__application_view.sql
+++ b/migrations/cockroach/V1.23__application_view.sql
@ -0,0 +1,7 @@
+ALTER TABLE management.applications ADD COLUMN id_token_userinfo_assertion BOOLEAN;
+ALTER TABLE auth.applications ADD COLUMN id_token_userinfo_assertion BOOLEAN;
+ALTER TABLE authz.applications ADD COLUMN id_token_userinfo_assertion BOOLEAN;
+
+ALTER TABLE management.applications ADD COLUMN clock_skew BIGINT;
+ALTER TABLE auth.applications ADD COLUMN clock_skew BIGINT;
+ALTER TABLE authz.applications ADD COLUMN clock_skew BIGINT;
--- a/pkg/grpc/management/proto/management.proto
+++ b/pkg/grpc/management/proto/management.proto
@ -4,6 +4,7 @@ import "google/api/annotations.proto";
 import "google/protobuf/empty.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/timestamp.proto";
+import "google/protobuf/duration.proto";
 import "protoc-gen-swagger/options/annotations.proto";
 import "validate/validate.proto";
 import "authoption/options.proto";
@ -69,7 +70,7 @@ service ManagementService {
    };
  }

-rpc GetUserByID(UserID) returns (UserView) {
+  rpc GetUserByID(UserID) returns (UserView) {
    option (google.api.http) = {
      get: "/users/{id}"
    };
@ -1198,93 +1199,93 @@ rpc GetUserByID(UserID) returns (UserView) {
    };

    option (caos.zitadel.utils.v1.auth_option) = {
-        permission: "user.grant.delete"
+      permission: "user.grant.delete"
    };
  }

  rpc IdpByID(IdpID) returns (IdpView) {
    option (google.api.http) = {
-        get: "/orgs/me/idps/{id}"
+      get: "/orgs/me/idps/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
-        permission: "org.idp.read"
+      permission: "org.idp.read"
    };
  }

  rpc CreateOidcIdp(OidcIdpConfigCreate) returns (Idp) {
    option (google.api.http) = {
-        post: "/orgs/me/idps/oidc"
-        body: "*"
+      post: "/orgs/me/idps/oidc"
+      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
-        permission: "org.idp.write"
+      permission: "org.idp.write"
    };
  }

  rpc UpdateIdpConfig(IdpUpdate) returns (Idp) {
    option (google.api.http) = {
-        put: "/orgs/me/idps/{id}"
-        body: "*"
+      put: "/orgs/me/idps/{id}"
+      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
-        permission: "org.idp.write"
+      permission: "org.idp.write"
    };
  }

  rpc DeactivateIdpConfig(IdpID) returns (Idp) {
    option (google.api.http) = {
-        put: "/orgs/me/idps/{id}/_deactivate"
-        body: "*"
+      put: "/orgs/me/idps/{id}/_deactivate"
+      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
-        permission: "org.idp.write"
+      permission: "org.idp.write"
    };
  }

  rpc ReactivateIdpConfig(IdpID) returns (Idp) {
    option (google.api.http) = {
-        put: "/orgs/me/idps/{id}/_reactivate"
-        body: "*"
+      put: "/orgs/me/idps/{id}/_reactivate"
+      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
-        permission: "org.idp.write"
+      permission: "org.idp.write"
    };
  }

  rpc RemoveIdpConfig(IdpID) returns (google.protobuf.Empty) {
    option (google.api.http) = {
-        delete: "/orgs/me/idps/{id}"
+      delete: "/orgs/me/idps/{id}"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
-        permission: "org.idp.write"
+      permission: "org.idp.write"
    };
  }

  rpc UpdateOidcIdpConfig(OidcIdpConfigUpdate) returns (OidcIdpConfig) {
    option (google.api.http) = {
-        put: "/orgs/me/idps/{idp_id}/oidcconfig"
-        body: "*"
+      put: "/orgs/me/idps/{idp_id}/oidcconfig"
+      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
-        permission: "org.idp.write"
+      permission: "org.idp.write"
    };
  }

  rpc SearchIdps(IdpSearchRequest) returns (IdpSearchResponse) {
    option (google.api.http) = {
-        post: "/orgs/me/idps/_search"
-        body: "*"
+      post: "/orgs/me/idps/_search"
+      body: "*"
    };

    option (caos.zitadel.utils.v1.auth_option) = {
-        permission: "org.idp.read"
+      permission: "org.idp.read"
    };
  }

@ -1374,64 +1375,64 @@ rpc GetUserByID(UserID) returns (UserView) {

  rpc GetLoginPolicySecondFactors(google.protobuf.Empty) returns (SecondFactorsResult) {
    option (google.api.http) = {
-            get: "/orgs/me/policies/login/secondfactors/_search"
-        };
+      get: "/orgs/me/policies/login/secondfactors/_search"
+    };

    option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
+      permission: "iam.policy.read"
+    };
  }

  rpc AddSecondFactorToLoginPolicy(SecondFactor) returns (SecondFactor) {
    option (google.api.http) = {
-            post: "/orgs/me/policies/login/secondfactors"
-            body: "*"
-        };
+      post: "/orgs/me/policies/login/secondfactors"
+      body: "*"
+    };

    option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
+      permission: "iam.policy.write"
+    };
  }

  rpc RemoveSecondFactorFromLoginPolicy(SecondFactor) returns (google.protobuf.Empty) {
    option (google.api.http) = {
-            delete: "/orgs/me/policies/login/secondfactors/{second_factor}"
-        };
+      delete: "/orgs/me/policies/login/secondfactors/{second_factor}"
+    };

    option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
+      permission: "iam.policy.write"
+    };
  }

  rpc GetLoginPolicyMultiFactors(google.protobuf.Empty) returns (MultiFactorsResult) {
    option (google.api.http) = {
-            get: "/orgs/me/policies/login/multifactors/_search"
-        };
+      get: "/orgs/me/policies/login/multifactors/_search"
+    };

    option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
+      permission: "iam.policy.read"
+    };
  }

  rpc AddMultiFactorToLoginPolicy(MultiFactor) returns (MultiFactor) {
    option (google.api.http) = {
-            post: "/orgs/me/policies/login/multifactors"
-            body: "*"
-        };
+      post: "/orgs/me/policies/login/multifactors"
+      body: "*"
+    };

    option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
+      permission: "iam.policy.write"
+    };
  }

  rpc RemoveMultiFactorFromLoginPolicy(MultiFactor) returns (google.protobuf.Empty) {
    option (google.api.http) = {
-            delete: "/orgs/me/policies/login/multifactors/{multi_factor}"
-        };
+      delete: "/orgs/me/policies/login/multifactors/{multi_factor}"
+    };

    option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
+      permission: "iam.policy.write"
+    };
  }

  rpc GetPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicyView) {
@ -2510,6 +2511,8 @@ message OIDCConfig {
  OIDCTokenType access_token_type = 13;
  bool access_token_role_assertion = 14;
  bool id_token_role_assertion = 15;
+  bool id_token_userinfo_assertion = 16;
+  google.protobuf.Duration clock_skew = 17;
 }

 message OIDCApplicationCreate {
@ -2526,6 +2529,8 @@ message OIDCApplicationCreate {
  OIDCTokenType access_token_type = 11;
  bool access_token_role_assertion = 12;
  bool id_token_role_assertion = 13;
+  bool id_token_userinfo_assertion = 14;
+  google.protobuf.Duration clock_skew = 15 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}];
 }

 enum OIDCVersion {
@ -2533,8 +2538,8 @@ enum OIDCVersion {
 }

 enum OIDCTokenType {
-    OIDCTokenType_Bearer = 0;
-    OIDCTokenType_JWT = 1;
+  OIDCTokenType_Bearer = 0;
+  OIDCTokenType_JWT = 1;
 }

 message OIDCConfigUpdate {
@ -2550,6 +2555,8 @@ message OIDCConfigUpdate {
  OIDCTokenType access_token_type = 10;
  bool access_token_role_assertion = 11;
  bool id_token_role_assertion = 12;
+  bool id_token_userinfo_assertion = 13;
+  google.protobuf.Duration clock_skew = 14 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}];
 }

 enum OIDCResponseType {
@ -2931,35 +2938,35 @@ enum MemberType {
 }

 message IdpID {
-    string id = 1 [(validate.rules).string = {min_len: 1}];
+  string id = 1 [(validate.rules).string = {min_len: 1}];
 }

 message Idp {
-    string id = 1;
-    IdpState state = 2;
-    google.protobuf.Timestamp creation_date = 3;
-    google.protobuf.Timestamp change_date = 4;
-    string name = 5;
-    IdpStylingType styling_type = 6;
-    oneof idp_config {
-        OidcIdpConfig oidc_config = 7;
-    }
-    uint64 sequence = 8;
+  string id = 1;
+  IdpState state = 2;
+  google.protobuf.Timestamp creation_date = 3;
+  google.protobuf.Timestamp change_date = 4;
+  string name = 5;
+  IdpStylingType styling_type = 6;
+  oneof idp_config {
+    OidcIdpConfig oidc_config = 7;
+  }
+  uint64 sequence = 8;
 }

 message IdpUpdate {
-    string id = 1 [(validate.rules).string = {min_len: 1}];
-    string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    IdpStylingType styling_type = 3;
+  string id = 1 [(validate.rules).string = {min_len: 1}];
+  string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  IdpStylingType styling_type = 3;
 }

 message OidcIdpConfig {
-    string client_id = 1;
-    string client_secret = 2;
-    string issuer = 3;
-    repeated string scopes = 4;
-    OIDCMappingField idp_display_name_mapping = 5;
-    OIDCMappingField username_mapping = 6;
+  string client_id = 1;
+  string client_secret = 2;
+  string issuer = 3;
+  repeated string scopes = 4;
+  OIDCMappingField idp_display_name_mapping = 5;
+  OIDCMappingField username_mapping = 6;
 }

 enum IdpStylingType {
@ -2968,9 +2975,9 @@ enum IdpStylingType {
 }

 enum IdpState {
-    IDPCONFIGSTATE_UNSPECIFIED = 0;
-    IDPCONFIGSTATE_ACTIVE = 1;
-    IDPCONFIGSTATE_INACTIVE = 2;
+  IDPCONFIGSTATE_UNSPECIFIED = 0;
+  IDPCONFIGSTATE_ACTIVE = 1;
+  IDPCONFIGSTATE_INACTIVE = 2;
 }

 enum OIDCMappingField {
@ -2980,83 +2987,83 @@ enum OIDCMappingField {
 }

 message OidcIdpConfigCreate {
-    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    IdpStylingType styling_type = 2;
-    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    repeated string scopes = 6;
-    OIDCMappingField idp_display_name_mapping = 7;
-    OIDCMappingField username_mapping = 8;
+  string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  IdpStylingType styling_type = 2;
+  string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  repeated string scopes = 6;
+  OIDCMappingField idp_display_name_mapping = 7;
+  OIDCMappingField username_mapping = 8;
 }

 message OidcIdpConfigUpdate {
-    string idp_id = 1 [(validate.rules).string = {min_len: 1}];
-    string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    string client_secret = 3;
-    string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    repeated string scopes = 5;
-    OIDCMappingField idp_display_name_mapping = 6;
-    OIDCMappingField username_mapping = 7;
+  string idp_id = 1 [(validate.rules).string = {min_len: 1}];
+  string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  string client_secret = 3;
+  string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  repeated string scopes = 5;
+  OIDCMappingField idp_display_name_mapping = 6;
+  OIDCMappingField username_mapping = 7;
 }

 message IdpSearchResponse {
-    uint64 offset = 1;
-    uint64 limit = 2;
-    uint64 total_result = 3;
-    repeated IdpView result = 4;
-    uint64 processed_sequence = 5;
-    google.protobuf.Timestamp view_timestamp = 6;
+  uint64 offset = 1;
+  uint64 limit = 2;
+  uint64 total_result = 3;
+  repeated IdpView result = 4;
+  uint64 processed_sequence = 5;
+  google.protobuf.Timestamp view_timestamp = 6;
 }

 message IdpView {
-    string id = 1;
-    IdpState state = 2;
-    google.protobuf.Timestamp creation_date = 3;
-    google.protobuf.Timestamp change_date = 4;
-    string name = 5;
-    IdpStylingType styling_type = 6;
-    IdpProviderType provider_type = 7;
-    oneof idp_config_view {
-        OidcIdpConfigView oidc_config = 8;
-    }
-    uint64 sequence = 9;
+  string id = 1;
+  IdpState state = 2;
+  google.protobuf.Timestamp creation_date = 3;
+  google.protobuf.Timestamp change_date = 4;
+  string name = 5;
+  IdpStylingType styling_type = 6;
+  IdpProviderType provider_type = 7;
+  oneof idp_config_view {
+    OidcIdpConfigView oidc_config = 8;
+  }
+  uint64 sequence = 9;
 }

 message OidcIdpConfigView {
-    string client_id = 1;
-    string issuer = 2;
-    repeated string scopes = 3;
-    OIDCMappingField idp_display_name_mapping = 4;
-    OIDCMappingField username_mapping = 5;
+  string client_id = 1;
+  string issuer = 2;
+  repeated string scopes = 3;
+  OIDCMappingField idp_display_name_mapping = 4;
+  OIDCMappingField username_mapping = 5;
 }

 message IdpSearchRequest {
-    uint64 offset = 1;
-    uint64 limit = 2;
-    repeated IdpSearchQuery queries = 3;
+  uint64 offset = 1;
+  uint64 limit = 2;
+  repeated IdpSearchQuery queries = 3;
 }

 message IdpSearchQuery {
-    IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-    SearchMethod method = 2;
-    string value = 3;
+  IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
+  SearchMethod method = 2;
+  string value = 3;
 }

 enum IdpSearchKey {
-    IDPSEARCHKEY_UNSPECIFIED = 0;
-    IDPSEARCHKEY_IDP_CONFIG_ID = 1;
-    IDPSEARCHKEY_NAME = 2;
-    IDPSEARCHKEY_PROVIDER_TYPE = 3;
+  IDPSEARCHKEY_UNSPECIFIED = 0;
+  IDPSEARCHKEY_IDP_CONFIG_ID = 1;
+  IDPSEARCHKEY_NAME = 2;
+  IDPSEARCHKEY_PROVIDER_TYPE = 3;
 }

 message LoginPolicy {
-    bool allow_username_password = 1;
-    bool allow_register = 2;
-    bool allow_external_idp = 3;
-    google.protobuf.Timestamp creation_date = 4;
-    google.protobuf.Timestamp change_date = 5;
-    bool force_mfa = 6;
+  bool allow_username_password = 1;
+  bool allow_register = 2;
+  bool allow_external_idp = 3;
+  google.protobuf.Timestamp creation_date = 4;
+  google.protobuf.Timestamp change_date = 5;
+  bool force_mfa = 6;
 }

 message LoginPolicyRequest {
@ -3067,7 +3074,7 @@ message LoginPolicyRequest {
 }

 message IdpProviderID {
-    string idp_config_id = 1 [(validate.rules).string = {min_len: 1}];
+  string idp_config_id = 1 [(validate.rules).string = {min_len: 1}];
 }

 message IdpProviderAdd {
@ -3081,25 +3088,25 @@ message IdpProvider {
 }

 message LoginPolicyView {
-    bool default = 1;
-    bool allow_username_password = 2;
-    bool allow_register = 3;
-    bool allow_external_idp = 4;
-    google.protobuf.Timestamp creation_date = 5;
-    google.protobuf.Timestamp change_date = 6;
-    bool force_mfa = 7;
+  bool default = 1;
+  bool allow_username_password = 2;
+  bool allow_register = 3;
+  bool allow_external_idp = 4;
+  google.protobuf.Timestamp creation_date = 5;
+  google.protobuf.Timestamp change_date = 6;
+  bool force_mfa = 7;
 }

 message IdpProviderView {
-    string idp_config_id = 1;
-    string name = 2;
-    IdpType type = 3;
+  string idp_config_id = 1;
+  string name = 2;
+  IdpType type = 3;
 }

 enum IdpType {
-    IDPTYPE_UNSPECIFIED = 0;
-    IDPTYPE_OIDC = 1;
-    IDPTYPE_SAML = 2;
+  IDPTYPE_UNSPECIFIED = 0;
+  IDPTYPE_OIDC = 1;
+  IDPTYPE_SAML = 2;
 }

 enum IdpProviderType {
@ -3109,17 +3116,17 @@ enum IdpProviderType {
 }

 message IdpProviderSearchResponse {
-    uint64 offset = 1;
-    uint64 limit = 2;
-    uint64 total_result = 3;
-    repeated IdpProviderView result = 4;
-    uint64 processed_sequence = 5;
-    google.protobuf.Timestamp view_timestamp = 6;
+  uint64 offset = 1;
+  uint64 limit = 2;
+  uint64 total_result = 3;
+  repeated IdpProviderView result = 4;
+  uint64 processed_sequence = 5;
+  google.protobuf.Timestamp view_timestamp = 6;
 }

 message IdpProviderSearchRequest {
-    uint64 offset = 1;
-    uint64 limit = 2;
+  uint64 offset = 1;
+  uint64 limit = 2;
 }

 //ProjectType is deprecated, remove as soon as console is ready