chore: upgrade to oidc v2 release (#5437)

* chore: upgrade to oidc v2 release * fix tests * fix build errors after rebase * pin oidc v2.1.0 * pin oidc v2.1.1 (include bugfix) * pin oidc v2.1.2 (include bugfix) * pin oidc v2.2.1 (bugfix) include fix zitadel/oidc#349 * fix: refresh token handling * simplify cognitive complexity * fix: handle error --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 04:07:31 +00:00 · 2023-03-28 14:28:56 +03:00
parent 542271b467
commit 25c3c17986
25 changed files with 362 additions and 249 deletions
--- a/internal/idp/providers/oidc/oidc.go
+++ b/internal/idp/providers/oidc/oidc.go
@@ -21,7 +21,7 @@ type Provider struct {
 	isAutoCreation    bool
 	isAutoUpdate      bool
 	useIDToken        bool
-	userInfoMapper    func(info oidc.UserInfo) idp.User
+	userInfoMapper    func(info *oidc.UserInfo) idp.User
 	authOptions       []rp.AuthURLOpt
 }

@@ -77,9 +77,9 @@ func WithSelectAccount() ProviderOpts {
 	}
 }

-type UserInfoMapper func(info oidc.UserInfo) idp.User
+type UserInfoMapper func(info *oidc.UserInfo) idp.User

-var DefaultMapper UserInfoMapper = func(info oidc.UserInfo) idp.User {
+var DefaultMapper UserInfoMapper = func(info *oidc.UserInfo) idp.User {
 	return NewUser(info)
 }

--- a/internal/idp/providers/oidc/oidc_test.go
+++ b/internal/idp/providers/oidc/oidc_test.go
@@ -21,7 +21,7 @@ func TestProvider_BeginAuth(t *testing.T) {
 		clientSecret string
 		redirectURI  string
 		scopes       []string
-		userMapper   func(info oidc.UserInfo) idp.User
+		userMapper   func(info *oidc.UserInfo) idp.User
 		httpMock     func(issuer string)
 		opts         []ProviderOpts
 	}
@@ -82,7 +82,7 @@ func TestProvider_Options(t *testing.T) {
 		clientSecret string
 		redirectURI  string
 		scopes       []string
-		userMapper   func(info oidc.UserInfo) idp.User
+		userMapper   func(info *oidc.UserInfo) idp.User
 		opts         []ProviderOpts
 		httpMock     func(issuer string)
 	}
--- a/internal/idp/providers/oidc/session.go
+++ b/internal/idp/providers/oidc/session.go
@@ -21,7 +21,7 @@ type Session struct {
 	Provider *Provider
 	AuthURL  string
 	Code     string
-	Tokens   *oidc.Tokens
+	Tokens   *oidc.Tokens[*oidc.IDTokenClaims]
 }

 // GetAuthURL implements the [idp.Session] interface.
@@ -48,7 +48,7 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
 		return nil, err
 	}
 	if s.Provider.useIDToken {
-		info = s.Tokens.IDTokenClaims
+		info = s.Tokens.IDTokenClaims.GetUserInfo()
 	}
 	u := s.Provider.userInfoMapper(info)
 	return u, nil
@@ -58,50 +58,66 @@ func (s *Session) authorize(ctx context.Context) (err error) {
 	if s.Code == "" {
 		return ErrCodeMissing
 	}
-	s.Tokens, err = rp.CodeExchange(ctx, s.Code, s.Provider.RelyingParty)
+	s.Tokens, err = rp.CodeExchange[*oidc.IDTokenClaims](ctx, s.Code, s.Provider.RelyingParty)
 	return err
 }

-func NewUser(info oidc.UserInfo) *User {
+func NewUser(info *oidc.UserInfo) *User {
 	return &User{UserInfo: info}
 }

 type User struct {
-	oidc.UserInfo
+	*oidc.UserInfo
 }

 func (u *User) GetID() string {
-	return u.GetSubject()
+	return u.Subject
 }

 func (u *User) GetFirstName() string {
-	return u.GetGivenName()
+	return u.GivenName
 }

 func (u *User) GetLastName() string {
-	return u.GetFamilyName()
+	return u.FamilyName
 }

 func (u *User) GetDisplayName() string {
-	return u.GetName()
+	return u.Name
 }

-func (u *User) GetPhone() domain.PhoneNumber {
-	return domain.PhoneNumber(u.GetPhoneNumber())
+func (u *User) GetNickname() string {
+	return u.Nickname
 }

-func (u *User) IsPhoneVerified() bool {
-	return u.IsPhoneNumberVerified()
-}
-
-func (u *User) GetPreferredLanguage() language.Tag {
-	return u.GetLocale()
-}
-
-func (u *User) GetAvatarURL() string {
-	return u.GetPicture()
+func (u *User) GetPreferredUsername() string {
+	return u.PreferredUsername
 }

 func (u *User) GetEmail() domain.EmailAddress {
-	return domain.EmailAddress(u.UserInfo.GetEmail())
+	return domain.EmailAddress(u.UserInfo.Email)
+}
+
+func (u *User) IsEmailVerified() bool {
+	return bool(u.EmailVerified)
+}
+
+func (u *User) GetPhone() domain.PhoneNumber {
+	return domain.PhoneNumber(u.PhoneNumber)
+}
+
+func (u *User) IsPhoneVerified() bool {
+	return u.PhoneNumberVerified
+}
+
+func (u *User) GetPreferredLanguage() language.Tag {
+	return u.Locale.Tag()
+}
+
+func (u *User) GetAvatarURL() string {
+	return u.Picture
+}
+
+func (u *User) GetProfile() string {
+	return u.Profile
 }
--- a/internal/idp/providers/oidc/session_test.go
+++ b/internal/idp/providers/oidc/session_test.go
@@ -29,11 +29,11 @@ func TestSession_FetchUser(t *testing.T) {
 		clientSecret string
 		redirectURI  string
 		scopes       []string
-		userMapper   func(oidc.UserInfo) idp.User
+		userMapper   func(*oidc.UserInfo) idp.User
 		httpMock     func(issuer string)
 		authURL      string
 		code         string
-		tokens       *oidc.Tokens
+		tokens       *oidc.Tokens[*oidc.IDTokenClaims]
 	}
 	type want struct {
 		err               error
@@ -114,7 +114,7 @@ func TestSession_FetchUser(t *testing.T) {
 						JSON(userinfo())
 				},
 				authURL: "https://issuer.com/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState",
-				tokens: &oidc.Tokens{
+				tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
 					Token: &oauth2.Token{
 						AccessToken: "accessToken",
 						TokenType:   oidc.BearerToken,
@@ -163,7 +163,7 @@ func TestSession_FetchUser(t *testing.T) {
 						JSON(userinfo())
 				},
 				authURL: "https://issuer.com/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=openid&state=testState",
-				tokens: &oidc.Tokens{
+				tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
 					Token: &oauth2.Token{
 						AccessToken: "accessToken",
 						TokenType:   oidc.BearerToken,
@@ -294,20 +294,28 @@ func TestSession_FetchUser(t *testing.T) {
 	}
 }

-func userinfo() oidc.UserInfoSetter {
-	info := oidc.NewUserInfo()
-	info.SetSubject("sub")
-	info.SetGivenName("firstname")
-	info.SetFamilyName("lastname")
-	info.SetName("firstname lastname")
-	info.SetNickname("nickname")
-	info.SetPreferredUsername("username")
-	info.SetEmail("email", true)
-	info.SetPhone("phone", true)
-	info.SetLocale(language.English)
-	info.SetPicture("picture")
-	info.SetProfile("profile")
-	return info
+func userinfo() *oidc.UserInfo {
+	return &oidc.UserInfo{
+		Subject: "sub",
+		UserInfoProfile: oidc.UserInfoProfile{
+			GivenName:         "firstname",
+			FamilyName:        "lastname",
+			Name:              "firstname lastname",
+			Nickname:          "nickname",
+			PreferredUsername: "username",
+			Locale:            oidc.NewLocale(language.English),
+			Picture:           "picture",
+			Profile:           "profile",
+		},
+		UserInfoEmail: oidc.UserInfoEmail{
+			Email:         "email",
+			EmailVerified: oidc.Bool(true),
+		},
+		UserInfoPhone: oidc.UserInfoPhone{
+			PhoneNumber:         "phone",
+			PhoneNumberVerified: true,
+		},
+	}
 }

 func tokenResponse(t *testing.T, issuer string) *oidc.AccessTokenResponse {