chore: upgrade to oidc v2 release (#5437)

* chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 04:57:33 +00:00 · 2023-03-28 14:28:56 +03:00
parent 542271b467
commit 25c3c17986
25 changed files with 362 additions and 249 deletions
--- a/internal/api/ui/login/custom_action.go
+++ b/internal/api/ui/login/custom_action.go
@@ -18,7 +18,7 @@ import (

 func (l *Login) runPostExternalAuthenticationActions(
 	user *domain.ExternalUser,
-	tokens *oidc.Tokens,
+	tokens *oidc.Tokens[*oidc.IDTokenClaims],
 	authRequest *domain.AuthRequest,
 	httpRequest *http.Request,
 	idpUser idp.User,
@@ -347,7 +347,7 @@ func (l *Login) runPostCreationActions(
 	return object.UserGrantsToDomain(userID, mutableUserGrants.UserGrants), err
 }

-func tokenCtxFields(tokens *oidc.Tokens) []actions.FieldOption {
+func tokenCtxFields(tokens *oidc.Tokens[*oidc.IDTokenClaims]) []actions.FieldOption {
 	var accessToken, idToken string
 	getClaim := func(claim string) interface{} {
 		return nil
@@ -367,7 +367,7 @@ func tokenCtxFields(tokens *oidc.Tokens) []actions.FieldOption {
 	idToken = tokens.IDToken
 	if tokens.IDTokenClaims != nil {
 		getClaim = func(claim string) interface{} {
-			return tokens.IDTokenClaims.GetClaim(claim)
+			return tokens.IDTokenClaims.Claims[claim]
 		}
 		claimsJSON = func() (string, error) {
 			c, err := json.Marshal(tokens.IDTokenClaims)
--- a/internal/api/ui/login/external_provider_handler.go
+++ b/internal/api/ui/login/external_provider_handler.go
@@ -837,7 +837,7 @@ func (l *Login) appendUserGrants(ctx context.Context, userGrants []*domain.UserG
 	return nil
 }

-func (l *Login) externalAuthFailed(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, tokens *oidc.Tokens, user idp.User, err error) {
+func (l *Login) externalAuthFailed(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, tokens *oidc.Tokens[*oidc.IDTokenClaims], user idp.User, err error) {
 	if _, actionErr := l.runPostExternalAuthenticationActions(&domain.ExternalUser{}, tokens, authReq, r, user, err); actionErr != nil {
 		logging.WithError(err).Error("both external user authentication and action post authentication failed")
 	}
@@ -845,7 +845,7 @@ func (l *Login) externalAuthFailed(w http.ResponseWriter, r *http.Request, authR
 }

 // tokens extracts the oidc.Tokens for backwards compatibility of PostExternalAuthenticationActions
-func tokens(session idp.Session) *oidc.Tokens {
+func tokens(session idp.Session) *oidc.Tokens[*oidc.IDTokenClaims] {
 	switch s := session.(type) {
 	case *openid.Session:
 		return s.Tokens
--- a/internal/api/ui/login/jwt_handler.go
+++ b/internal/api/ui/login/jwt_handler.go
@@ -81,7 +81,7 @@ func (l *Login) handleJWTExtraction(w http.ResponseWriter, r *http.Request, auth
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	session := &jwt.Session{Provider: provider, Tokens: &oidc.Tokens{IDToken: token, Token: &oauth2.Token{}}}
+	session := &jwt.Session{Provider: provider, Tokens: &oidc.Tokens[*oidc.IDTokenClaims]{IDToken: token, Token: &oauth2.Token{}}}
 	user, err := session.FetchUser(r.Context())
 	if err != nil {
 		if _, actionErr := l.runPostExternalAuthenticationActions(new(domain.ExternalUser), tokens(session), authReq, r, user, err); actionErr != nil {