chore: upgrade to oidc v2 release (#5437)

* chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 05:07:31 +00:00 · 2023-03-28 14:28:56 +03:00
parent 542271b467
commit 25c3c17986
25 changed files with 362 additions and 249 deletions
--- a/internal/idp/providers/jwt/session.go
+++ b/internal/idp/providers/jwt/session.go
@@ -27,7 +27,7 @@ var (
 type Session struct {
 	*Provider
 	AuthURL string
-	Tokens  *oidc.Tokens
+	Tokens  *oidc.Tokens[*oidc.IDTokenClaims]
 }

 // GetAuthURL implements the [idp.Session] interface
@@ -48,12 +48,12 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
 	return &User{s.Tokens.IDTokenClaims}, nil
 }

-func (s *Session) validateToken(ctx context.Context, token string) (oidc.IDTokenClaims, error) {
+func (s *Session) validateToken(ctx context.Context, token string) (*oidc.IDTokenClaims, error) {
 	logging.Debug("begin token validation")
 	// TODO: be able to specify them in the template: https://github.com/zitadel/zitadel/issues/5322
 	offset := 3 * time.Second
 	maxAge := time.Hour
-	claims := oidc.EmptyIDTokenClaims()
+	claims := new(oidc.IDTokenClaims)
 	payload, err := oidc.ParseToken(token, claims)
 	if err != nil {
 		return nil, fmt.Errorf("%w: malformed jwt payload: %v", ErrInvalidToken, err)
@@ -84,45 +84,57 @@ func (s *Session) validateToken(ctx context.Context, token string) (oidc.IDToken
 }

 type User struct {
-	oidc.IDTokenClaims
+	*oidc.IDTokenClaims
 }

 func (u *User) GetID() string {
-	return u.IDTokenClaims.GetSubject()
+	return u.Subject
 }

 func (u *User) GetFirstName() string {
-	return u.IDTokenClaims.GetGivenName()
+	return u.GivenName
 }

 func (u *User) GetLastName() string {
-	return u.IDTokenClaims.GetFamilyName()
+	return u.FamilyName
 }

 func (u *User) GetDisplayName() string {
-	return u.IDTokenClaims.GetName()
+	return u.Name
 }

 func (u *User) GetNickname() string {
-	return u.IDTokenClaims.GetNickname()
+	return u.Nickname
 }

-func (u *User) GetPhone() domain.PhoneNumber {
-	return domain.PhoneNumber(u.IDTokenClaims.GetPhoneNumber())
-}
-
-func (u *User) IsPhoneVerified() bool {
-	return u.IDTokenClaims.IsPhoneNumberVerified()
-}
-
-func (u *User) GetPreferredLanguage() language.Tag {
-	return u.IDTokenClaims.GetLocale()
-}
-
-func (u *User) GetAvatarURL() string {
-	return u.IDTokenClaims.GetPicture()
+func (u *User) GetPreferredUsername() string {
+	return u.PreferredUsername
 }

 func (u *User) GetEmail() domain.EmailAddress {
-	return domain.EmailAddress(u.IDTokenClaims.GetEmail())
+	return domain.EmailAddress(u.Email)
+}
+
+func (u *User) IsEmailVerified() bool {
+	return bool(u.EmailVerified)
+}
+
+func (u *User) GetPhone() domain.PhoneNumber {
+	return domain.PhoneNumber(u.IDTokenClaims.PhoneNumber)
+}
+
+func (u *User) IsPhoneVerified() bool {
+	return u.PhoneNumberVerified
+}
+
+func (u *User) GetPreferredLanguage() language.Tag {
+	return u.Locale.Tag()
+}
+
+func (u *User) GetAvatarURL() string {
+	return u.Picture
+}
+
+func (u *User) GetProfile() string {
+	return u.Profile
 }
--- a/internal/idp/providers/jwt/session_test.go
+++ b/internal/idp/providers/jwt/session_test.go
@@ -30,7 +30,7 @@ func TestSession_FetchUser(t *testing.T) {
 		encryptionAlg func(t *testing.T) crypto.EncryptionAlgorithm
 		httpMock      func(issuer string)
 		authURL       string
-		tokens        *oidc.Tokens
+		tokens        *oidc.Tokens[*oidc.IDTokenClaims]
 	}
 	type want struct {
 		err               func(error) bool
@@ -93,7 +93,7 @@ func TestSession_FetchUser(t *testing.T) {
 						JSON(keys(t))
 				},
 				authURL: "https://auth.com/jwt?authRequestID=testState",
-				tokens: &oidc.Tokens{
+				tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
 					Token:   &oauth2.Token{},
 					IDToken: "invalidToken",
 				},
@@ -121,26 +121,32 @@ func TestSession_FetchUser(t *testing.T) {
 						JSON(keys(t))
 				},
 				authURL: "https://auth.com/jwt?authRequestID=testState",
-				tokens: &oidc.Tokens{
+				tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
 					Token:   &oauth2.Token{},
 					IDToken: idToken(t, "https://jwt.com"),
-					IDTokenClaims: func() oidc.IDTokenClaims {
-						claims := oidc.EmptyIDTokenClaims()
-						userinfo := oidc.NewUserInfo()
-						userinfo.SetSubject("sub")
-						userinfo.SetPicture("picture")
-						userinfo.SetName("firstname lastname")
-						userinfo.SetEmail("email", true)
-						userinfo.SetGivenName("firstname")
-						userinfo.SetFamilyName("lastname")
-						userinfo.SetNickname("nickname")
-						userinfo.SetPreferredUsername("username")
-						userinfo.SetProfile("profile")
-						userinfo.SetPhone("phone", true)
-						userinfo.SetLocale(language.English)
-						claims.SetUserinfo(userinfo)
-						return claims
-					}(),
+					IDTokenClaims: &oidc.IDTokenClaims{
+						TokenClaims: oidc.TokenClaims{
+							Subject: "sub",
+						},
+						UserInfoProfile: oidc.UserInfoProfile{
+							Picture:           "picture",
+							Name:              "firstname lastname",
+							GivenName:         "firstname",
+							FamilyName:        "lastname",
+							Nickname:          "nickname",
+							PreferredUsername: "username",
+							Profile:           "profile",
+							Locale:            oidc.NewLocale(language.English),
+						},
+						UserInfoEmail: oidc.UserInfoEmail{
+							Email:         "email",
+							EmailVerified: oidc.Bool(true),
+						},
+						UserInfoPhone: oidc.UserInfoPhone{
+							PhoneNumber:         "phone",
+							PhoneNumberVerified: true,
+						},
+					},
 				},
 			},
 			want: want{
@@ -219,19 +225,25 @@ func idToken(t *testing.T, issuer string) string {
 		"clientID",
 		0,
 	)
-	info := oidc.NewUserInfo()
-	info.SetSubject("sub")
-	info.SetGivenName("firstname")
-	info.SetFamilyName("lastname")
-	info.SetName("firstname lastname")
-	info.SetNickname("nickname")
-	info.SetPreferredUsername("username")
-	info.SetEmail("email", true)
-	info.SetPhone("phone", true)
-	info.SetLocale(language.English)
-	info.SetPicture("picture")
-	info.SetProfile("profile")
-	claims.SetUserinfo(info)
+	claims.UserInfoProfile = oidc.UserInfoProfile{
+		GivenName:         "firstname",
+		FamilyName:        "lastname",
+		Name:              "firstname lastname",
+		Nickname:          "nickname",
+		PreferredUsername: "username",
+		Locale:            oidc.NewLocale(language.English),
+		Picture:           "picture",
+		Profile:           "profile",
+	}
+	claims.UserInfoEmail = oidc.UserInfoEmail{
+		Email:         "email",
+		EmailVerified: oidc.Bool(true),
+	}
+	claims.UserInfoPhone = oidc.UserInfoPhone{
+		PhoneNumber:         "phone",
+		PhoneNumberVerified: true,
+	}
+
 	privateKey, err := crypto.BytesToPrivateKey([]byte(`-----BEGIN RSA PRIVATE KEY-----
 MIIEpAIBAAKCAQEAs38btwb3c7r0tMaQpGvBmY+mPwMU/LpfuPoC0k2t4RsKp0fv
 40SMl50CRrHgk395wch8PMPYbl3+8TtYAJuyrFALIj3Ff1UcKIk0hOH5DDsfh7/q