fix(oidc): return clients without instance settings (#7036)

internal/api/oidc/client.go

@@ -927,6 +927,12 @@ func (s *Server) VerifyClient(ctx context.Context, r *op.Request[op.ClientCreden
 	if client.State != domain.AppStateActive {
 		return nil, oidc.ErrInvalidClient().WithDescription("client is not active")
 	}
+	if client.Settings == nil {
+		client.Settings = &query.OIDCSettings{
+			AccessTokenLifetime: s.defaultAccessTokenLifetime,
+			IdTokenLifetime:     s.defaultIdTokenLifetime,
+		}
+	}
 
 	switch client.AuthMethodType {
 	case domain.OIDCAuthMethodTypeBasic, domain.OIDCAuthMethodTypePost:

internal/api/oidc/client_converter.go

@@ -92,11 +92,11 @@ func (c *Client) RestrictAdditionalAccessTokenScopes() func(scopes []string) []s
 }
 
 func (c *Client) AccessTokenLifetime() time.Duration {
-	return c.client.AccessTokenLifetime
+	return c.client.Settings.AccessTokenLifetime
 }
 
 func (c *Client) IDTokenLifetime() time.Duration {
-	return c.client.IDTokenLifetime
+	return c.client.Settings.IdTokenLifetime
 }
 
 func (c *Client) AccessTokenType() op.AccessTokenType {

internal/api/oidc/op.go

@@ -122,19 +122,21 @@ func NewServer(
 	}
 
 	server := &Server{
-		LegacyServer:        op.NewLegacyServer(provider, endpoints(config.CustomEndpoints)),
-		features:            config.Features,
-		repo:                repo,
-		query:               query,
-		command:             command,
-		keySet:              newKeySet(context.TODO(), time.Hour, query.GetActivePublicKeyByID),
-		defaultLoginURL:     fmt.Sprintf("%s%s?%s=", login.HandlerPrefix, login.EndpointLogin, login.QueryAuthRequestID),
-		defaultLoginURLV2:   config.DefaultLoginURLV2,
-		defaultLogoutURLV2:  config.DefaultLogoutURLV2,
-		fallbackLogger:      fallbackLogger,
-		hashAlg:             crypto.NewBCrypt(10), // as we are only verifying in oidc, the cost is already part of the hash string and the config here is irrelevant.
-		signingKeyAlgorithm: config.SigningKeyAlgorithm,
-		assetAPIPrefix:      assets.AssetAPI(externalSecure),
+		LegacyServer:               op.NewLegacyServer(provider, endpoints(config.CustomEndpoints)),
+		features:                   config.Features,
+		repo:                       repo,
+		query:                      query,
+		command:                    command,
+		keySet:                     newKeySet(context.TODO(), time.Hour, query.GetActivePublicKeyByID),
+		defaultLoginURL:            fmt.Sprintf("%s%s?%s=", login.HandlerPrefix, login.EndpointLogin, login.QueryAuthRequestID),
+		defaultLoginURLV2:          config.DefaultLoginURLV2,
+		defaultLogoutURLV2:         config.DefaultLogoutURLV2,
+		defaultAccessTokenLifetime: config.DefaultAccessTokenLifetime,
+		defaultIdTokenLifetime:     config.DefaultIdTokenLifetime,
+		fallbackLogger:             fallbackLogger,
+		hashAlg:                    crypto.NewBCrypt(10), // as we are only verifying in oidc, the cost is already part of the hash string and the config here is irrelevant.
+		signingKeyAlgorithm:        config.SigningKeyAlgorithm,
+		assetAPIPrefix:             assets.AssetAPI(externalSecure),
 	}
 	metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount}
 	server.Handler = op.RegisterLegacyServer(server, op.WithHTTPMiddleware(

internal/api/oidc/server.go

@@ -3,6 +3,7 @@ package oidc
 import (
 	"context"
 	"net/http"
+	"time"
 
 	"github.com/zitadel/logging"
 	"github.com/zitadel/oidc/v3/pkg/oidc"
@@ -27,9 +28,11 @@ type Server struct {
 	command *command.Commands
 	keySet  *keySetCache
 
-	defaultLoginURL    string
-	defaultLoginURLV2  string
-	defaultLogoutURLV2 string
+	defaultLoginURL            string
+	defaultLoginURLV2          string
+	defaultLogoutURLV2         string
+	defaultAccessTokenLifetime time.Duration
+	defaultIdTokenLifetime     time.Duration
 
 	fallbackLogger      *slog.Logger
 	hashAlg             crypto.HashAlgorithm