feat: App API v2 (#10077)

# Which Problems Are Solved This PR *partially* addresses #9450 . Specifically, it implements the resource based API for the apps. APIs for app keys ARE not part of this PR. # How the Problems Are Solved - `CreateApplication`, `PatchApplication` (update) and `RegenerateClientSecret` endpoints are now unique for all app types: API, SAML and OIDC apps. - All new endpoints have integration tests - All new endpoints are using permission checks V2 # Additional Changes - The `ListApplications` endpoint allows to do sorting (see protobuf for details) and filtering by app type (see protobuf). - SAML and OIDC update endpoint can now receive requests for partial updates # Additional Context Partially addresses #9450
2025-08-12 08:47:32 +00:00 · 2025-06-27 17:25:44 +02:00
parent 016676e1dc
commit 2691dae2b6
48 changed files with 6845 additions and 603 deletions
--- a/internal/api/grpc/app/v2beta/convert/oidc_app.go
+++ b/internal/api/grpc/app/v2beta/convert/oidc_app.go
@@ -0,0 +1,291 @@
+package convert
+
+import (
+	"github.com/muhlemmer/gu"
+	"google.golang.org/protobuf/types/known/durationpb"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
+	"github.com/zitadel/zitadel/internal/query"
+	app "github.com/zitadel/zitadel/pkg/grpc/app/v2beta"
+)
+
+func CreateOIDCAppRequestToDomain(name, projectID string, req *app.CreateOIDCApplicationRequest) (*domain.OIDCApp, error) {
+	loginVersion, loginBaseURI, err := loginVersionToDomain(req.GetLoginVersion())
+	if err != nil {
+		return nil, err
+	}
+	return &domain.OIDCApp{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: projectID,
+		},
+		AppName:                  name,
+		OIDCVersion:              gu.Ptr(domain.OIDCVersionV1),
+		RedirectUris:             req.GetRedirectUris(),
+		ResponseTypes:            oidcResponseTypesToDomain(req.GetResponseTypes()),
+		GrantTypes:               oidcGrantTypesToDomain(req.GetGrantTypes()),
+		ApplicationType:          gu.Ptr(oidcApplicationTypeToDomain(req.GetAppType())),
+		AuthMethodType:           gu.Ptr(oidcAuthMethodTypeToDomain(req.GetAuthMethodType())),
+		PostLogoutRedirectUris:   req.GetPostLogoutRedirectUris(),
+		DevMode:                  &req.DevMode,
+		AccessTokenType:          gu.Ptr(oidcTokenTypeToDomain(req.GetAccessTokenType())),
+		AccessTokenRoleAssertion: gu.Ptr(req.GetAccessTokenRoleAssertion()),
+		IDTokenRoleAssertion:     gu.Ptr(req.GetIdTokenRoleAssertion()),
+		IDTokenUserinfoAssertion: gu.Ptr(req.GetIdTokenUserinfoAssertion()),
+		ClockSkew:                gu.Ptr(req.GetClockSkew().AsDuration()),
+		AdditionalOrigins:        req.GetAdditionalOrigins(),
+		SkipNativeAppSuccessPage: gu.Ptr(req.GetSkipNativeAppSuccessPage()),
+		BackChannelLogoutURI:     gu.Ptr(req.GetBackChannelLogoutUri()),
+		LoginVersion:             loginVersion,
+		LoginBaseURI:             loginBaseURI,
+	}, nil
+}
+
+func UpdateOIDCAppConfigRequestToDomain(appID, projectID string, app *app.UpdateOIDCApplicationConfigurationRequest) (*domain.OIDCApp, error) {
+	loginVersion, loginBaseURI, err := loginVersionToDomain(app.GetLoginVersion())
+	if err != nil {
+		return nil, err
+	}
+	return &domain.OIDCApp{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: projectID,
+		},
+		AppID:                    appID,
+		RedirectUris:             app.RedirectUris,
+		ResponseTypes:            oidcResponseTypesToDomain(app.ResponseTypes),
+		GrantTypes:               oidcGrantTypesToDomain(app.GrantTypes),
+		ApplicationType:          oidcApplicationTypeToDomainPtr(app.AppType),
+		AuthMethodType:           oidcAuthMethodTypeToDomainPtr(app.AuthMethodType),
+		PostLogoutRedirectUris:   app.PostLogoutRedirectUris,
+		DevMode:                  app.DevMode,
+		AccessTokenType:          oidcTokenTypeToDomainPtr(app.AccessTokenType),
+		AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
+		IDTokenRoleAssertion:     app.IdTokenRoleAssertion,
+		IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,
+		ClockSkew:                gu.Ptr(app.GetClockSkew().AsDuration()),
+		AdditionalOrigins:        app.AdditionalOrigins,
+		SkipNativeAppSuccessPage: app.SkipNativeAppSuccessPage,
+		BackChannelLogoutURI:     app.BackChannelLogoutUri,
+		LoginVersion:             loginVersion,
+		LoginBaseURI:             loginBaseURI,
+	}, nil
+}
+
+func oidcResponseTypesToDomain(responseTypes []app.OIDCResponseType) []domain.OIDCResponseType {
+	if len(responseTypes) == 0 {
+		return []domain.OIDCResponseType{domain.OIDCResponseTypeCode}
+	}
+	oidcResponseTypes := make([]domain.OIDCResponseType, len(responseTypes))
+	for i, responseType := range responseTypes {
+		switch responseType {
+		case app.OIDCResponseType_OIDC_RESPONSE_TYPE_UNSPECIFIED:
+			oidcResponseTypes[i] = domain.OIDCResponseTypeUnspecified
+		case app.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE:
+			oidcResponseTypes[i] = domain.OIDCResponseTypeCode
+		case app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN:
+			oidcResponseTypes[i] = domain.OIDCResponseTypeIDToken
+		case app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN:
+			oidcResponseTypes[i] = domain.OIDCResponseTypeIDTokenToken
+		}
+	}
+	return oidcResponseTypes
+}
+
+func oidcGrantTypesToDomain(grantTypes []app.OIDCGrantType) []domain.OIDCGrantType {
+	if len(grantTypes) == 0 {
+		return []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode}
+	}
+	oidcGrantTypes := make([]domain.OIDCGrantType, len(grantTypes))
+	for i, grantType := range grantTypes {
+		switch grantType {
+		case app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE:
+			oidcGrantTypes[i] = domain.OIDCGrantTypeAuthorizationCode
+		case app.OIDCGrantType_OIDC_GRANT_TYPE_IMPLICIT:
+			oidcGrantTypes[i] = domain.OIDCGrantTypeImplicit
+		case app.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN:
+			oidcGrantTypes[i] = domain.OIDCGrantTypeRefreshToken
+		case app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE:
+			oidcGrantTypes[i] = domain.OIDCGrantTypeDeviceCode
+		case app.OIDCGrantType_OIDC_GRANT_TYPE_TOKEN_EXCHANGE:
+			oidcGrantTypes[i] = domain.OIDCGrantTypeTokenExchange
+		}
+	}
+	return oidcGrantTypes
+}
+
+func oidcApplicationTypeToDomainPtr(appType *app.OIDCAppType) *domain.OIDCApplicationType {
+	if appType == nil {
+		return nil
+	}
+
+	res := oidcApplicationTypeToDomain(*appType)
+	return &res
+}
+
+func oidcApplicationTypeToDomain(appType app.OIDCAppType) domain.OIDCApplicationType {
+	switch appType {
+	case app.OIDCAppType_OIDC_APP_TYPE_WEB:
+		return domain.OIDCApplicationTypeWeb
+	case app.OIDCAppType_OIDC_APP_TYPE_USER_AGENT:
+		return domain.OIDCApplicationTypeUserAgent
+	case app.OIDCAppType_OIDC_APP_TYPE_NATIVE:
+		return domain.OIDCApplicationTypeNative
+	}
+	return domain.OIDCApplicationTypeWeb
+}
+
+func oidcAuthMethodTypeToDomainPtr(authType *app.OIDCAuthMethodType) *domain.OIDCAuthMethodType {
+	if authType == nil {
+		return nil
+	}
+
+	res := oidcAuthMethodTypeToDomain(*authType)
+	return &res
+}
+
+func oidcAuthMethodTypeToDomain(authType app.OIDCAuthMethodType) domain.OIDCAuthMethodType {
+	switch authType {
+	case app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC:
+		return domain.OIDCAuthMethodTypeBasic
+	case app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_POST:
+		return domain.OIDCAuthMethodTypePost
+	case app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE:
+		return domain.OIDCAuthMethodTypeNone
+	case app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT:
+		return domain.OIDCAuthMethodTypePrivateKeyJWT
+	default:
+		return domain.OIDCAuthMethodTypeBasic
+	}
+}
+
+func oidcTokenTypeToDomainPtr(tokenType *app.OIDCTokenType) *domain.OIDCTokenType {
+	if tokenType == nil {
+		return nil
+	}
+
+	res := oidcTokenTypeToDomain(*tokenType)
+	return &res
+}
+
+func oidcTokenTypeToDomain(tokenType app.OIDCTokenType) domain.OIDCTokenType {
+	switch tokenType {
+	case app.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER:
+		return domain.OIDCTokenTypeBearer
+	case app.OIDCTokenType_OIDC_TOKEN_TYPE_JWT:
+		return domain.OIDCTokenTypeJWT
+	default:
+		return domain.OIDCTokenTypeBearer
+	}
+}
+
+func ComplianceProblemsToLocalizedMessages(complianceProblems []string) []*app.OIDCLocalizedMessage {
+	converted := make([]*app.OIDCLocalizedMessage, len(complianceProblems))
+	for i, p := range complianceProblems {
+		converted[i] = &app.OIDCLocalizedMessage{Key: p}
+	}
+
+	return converted
+}
+
+func appOIDCConfigToPb(oidcApp *query.OIDCApp) *app.Application_OidcConfig {
+	return &app.Application_OidcConfig{
+		OidcConfig: &app.OIDCConfig{
+			RedirectUris:             oidcApp.RedirectURIs,
+			ResponseTypes:            oidcResponseTypesFromModel(oidcApp.ResponseTypes),
+			GrantTypes:               oidcGrantTypesFromModel(oidcApp.GrantTypes),
+			AppType:                  oidcApplicationTypeToPb(oidcApp.AppType),
+			ClientId:                 oidcApp.ClientID,
+			AuthMethodType:           oidcAuthMethodTypeToPb(oidcApp.AuthMethodType),
+			PostLogoutRedirectUris:   oidcApp.PostLogoutRedirectURIs,
+			Version:                  app.OIDCVersion_OIDC_VERSION_1_0,
+			NoneCompliant:            len(oidcApp.ComplianceProblems) != 0,
+			ComplianceProblems:       ComplianceProblemsToLocalizedMessages(oidcApp.ComplianceProblems),
+			DevMode:                  oidcApp.IsDevMode,
+			AccessTokenType:          oidcTokenTypeToPb(oidcApp.AccessTokenType),
+			AccessTokenRoleAssertion: oidcApp.AssertAccessTokenRole,
+			IdTokenRoleAssertion:     oidcApp.AssertIDTokenRole,
+			IdTokenUserinfoAssertion: oidcApp.AssertIDTokenUserinfo,
+			ClockSkew:                durationpb.New(oidcApp.ClockSkew),
+			AdditionalOrigins:        oidcApp.AdditionalOrigins,
+			AllowedOrigins:           oidcApp.AllowedOrigins,
+			SkipNativeAppSuccessPage: oidcApp.SkipNativeAppSuccessPage,
+			BackChannelLogoutUri:     oidcApp.BackChannelLogoutURI,
+			LoginVersion:             loginVersionToPb(oidcApp.LoginVersion, oidcApp.LoginBaseURI),
+		},
+	}
+}
+
+func oidcResponseTypesFromModel(responseTypes []domain.OIDCResponseType) []app.OIDCResponseType {
+	oidcResponseTypes := make([]app.OIDCResponseType, len(responseTypes))
+	for i, responseType := range responseTypes {
+		switch responseType {
+		case domain.OIDCResponseTypeUnspecified:
+			oidcResponseTypes[i] = app.OIDCResponseType_OIDC_RESPONSE_TYPE_UNSPECIFIED
+		case domain.OIDCResponseTypeCode:
+			oidcResponseTypes[i] = app.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE
+		case domain.OIDCResponseTypeIDToken:
+			oidcResponseTypes[i] = app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN
+		case domain.OIDCResponseTypeIDTokenToken:
+			oidcResponseTypes[i] = app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
+		}
+	}
+	return oidcResponseTypes
+}
+
+func oidcGrantTypesFromModel(grantTypes []domain.OIDCGrantType) []app.OIDCGrantType {
+	oidcGrantTypes := make([]app.OIDCGrantType, len(grantTypes))
+	for i, grantType := range grantTypes {
+		switch grantType {
+		case domain.OIDCGrantTypeAuthorizationCode:
+			oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE
+		case domain.OIDCGrantTypeImplicit:
+			oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_IMPLICIT
+		case domain.OIDCGrantTypeRefreshToken:
+			oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN
+		case domain.OIDCGrantTypeDeviceCode:
+			oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE
+		case domain.OIDCGrantTypeTokenExchange:
+			oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_TOKEN_EXCHANGE
+		}
+	}
+	return oidcGrantTypes
+}
+
+func oidcApplicationTypeToPb(appType domain.OIDCApplicationType) app.OIDCAppType {
+	switch appType {
+	case domain.OIDCApplicationTypeWeb:
+		return app.OIDCAppType_OIDC_APP_TYPE_WEB
+	case domain.OIDCApplicationTypeUserAgent:
+		return app.OIDCAppType_OIDC_APP_TYPE_USER_AGENT
+	case domain.OIDCApplicationTypeNative:
+		return app.OIDCAppType_OIDC_APP_TYPE_NATIVE
+	default:
+		return app.OIDCAppType_OIDC_APP_TYPE_WEB
+	}
+}
+
+func oidcAuthMethodTypeToPb(authType domain.OIDCAuthMethodType) app.OIDCAuthMethodType {
+	switch authType {
+	case domain.OIDCAuthMethodTypeBasic:
+		return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC
+	case domain.OIDCAuthMethodTypePost:
+		return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_POST
+	case domain.OIDCAuthMethodTypeNone:
+		return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE
+	case domain.OIDCAuthMethodTypePrivateKeyJWT:
+		return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
+	default:
+		return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC
+	}
+}
+
+func oidcTokenTypeToPb(tokenType domain.OIDCTokenType) app.OIDCTokenType {
+	switch tokenType {
+	case domain.OIDCTokenTypeBearer:
+		return app.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER
+	case domain.OIDCTokenTypeJWT:
+		return app.OIDCTokenType_OIDC_TOKEN_TYPE_JWT
+	default:
+		return app.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER
+	}
+}