fix(oidc): return clients without instance settings (#7036)

internal/query/embed/oidc_client_by_id.sql

@@ -29,18 +29,18 @@ keys as (
 	group by identifier
 ),
 settings as (
-	select instance_id, access_token_lifetime, id_token_lifetime
+	select instance_id, json_build_object('access_token_lifetime', access_token_lifetime, 'id_token_lifetime', id_token_lifetime) as settings
 	from projections.oidc_settings2
 	where aggregate_id = $1
 		and instance_id = $1
 )
 
 select row_to_json(r) as client from (
-	select c.*, r.project_role_keys, k.public_keys, s.access_token_lifetime, s.id_token_lifetime
+	select c.*, r.project_role_keys, k.public_keys, s.settings
 	from client c
 	left join roles r on r.project_id = c.project_id
 	left join keys k on k.client_id = c.client_id
-	join settings s on s.instance_id = s.instance_id
+	left join settings s on s.instance_id = s.instance_id
 ) r;
 
 --execute q('230690539048009730', '236647088211951618@tests', true);

internal/query/oidc_client.go

@@ -37,8 +37,7 @@ type OIDCClient struct {
 	PublicKeys               map[string][]byte          `json:"public_keys,omitempty"`
 	ProjectID                string                     `json:"project_id,omitempty"`
 	ProjectRoleKeys          []string                   `json:"project_role_keys,omitempty"`
-	AccessTokenLifetime      time.Duration              `json:"access_token_lifetime,omitempty"`
-	IDTokenLifetime          time.Duration              `json:"id_token_lifetime,omitempty"`
+	Settings                 *OIDCSettings              `json:"settings,omitempty"`
 }
 
 //go:embed embed/oidc_client_by_id.sql

internal/query/oidc_client_test.go

@@ -24,6 +24,8 @@ var (
 	testdataOidcClientPublic string
 	//go:embed testdata/oidc_client_secret.json
 	testdataOidcClientSecret string
+	//go:embed testdata/oidc_client_no_settings.json
+	testdataOidcClientNoSettings string
 )
 
 func TestQueries_GetOIDCClientByID(t *testing.T) {
@@ -81,8 +83,10 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 				ProjectID:                "236645808328409090",
 				PublicKeys:               map[string][]byte{"236647201860747266": []byte(pubkey)},
 				ProjectRoleKeys:          []string{"role1", "role2"},
-				AccessTokenLifetime:      43200000000000,
-				IDTokenLifetime:          43200000000000,
+				Settings: &OIDCSettings{
+					AccessTokenLifetime: 43200000000000,
+					IdTokenLifetime:     43200000000000,
+				},
 			},
 		},
 		{
@@ -110,8 +114,10 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 				PublicKeys:               nil,
 				ProjectID:                "236645808328409090",
 				ProjectRoleKeys:          []string{"role1", "role2"},
-				AccessTokenLifetime:      43200000000000,
-				IDTokenLifetime:          43200000000000,
+				Settings: &OIDCSettings{
+					AccessTokenLifetime: 43200000000000,
+					IdTokenLifetime:     43200000000000,
+				},
 			},
 		},
 		{
@@ -143,8 +149,43 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 				PublicKeys:               nil,
 				ProjectID:                "236645808328409090",
 				ProjectRoleKeys:          []string{"role1", "role2"},
-				AccessTokenLifetime:      43200000000000,
-				IDTokenLifetime:          43200000000000,
+				Settings: &OIDCSettings{
+					AccessTokenLifetime: 43200000000000,
+					IdTokenLifetime:     43200000000000,
+				},
+			},
+		},
+		{
+			name: "no oidc settings",
+			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientNoSettings}, "instanceID", "clientID", true),
+			want: &OIDCClient{
+				InstanceID:   "239520764275982338",
+				AppID:        "239520764276441090",
+				State:        domain.AppStateActive,
+				ClientID:     "239520764779364354@zitadel",
+				ClientSecret: nil,
+				RedirectURIs: []string{
+					"http://test2-qucuh5.localhost:9000/ui/console/auth/callback",
+					"http://test.localhost.com:9000/ui/console/auth/callback"},
+				ResponseTypes:   []domain.OIDCResponseType{0},
+				GrantTypes:      []domain.OIDCGrantType{0},
+				ApplicationType: domain.OIDCApplicationTypeUserAgent,
+				AuthMethodType:  domain.OIDCAuthMethodTypeNone,
+				PostLogoutRedirectURIs: []string{
+					"http://test2-qucuh5.localhost:9000/ui/console/signedout",
+					"http://test.localhost.com:9000/ui/console/signedout",
+				},
+				IsDevMode:                true,
+				AccessTokenType:          domain.OIDCTokenTypeBearer,
+				AccessTokenRoleAssertion: false,
+				IDTokenRoleAssertion:     false,
+				IDTokenUserinfoAssertion: false,
+				ClockSkew:                0,
+				AdditionalOrigins:        nil,
+				PublicKeys:               nil,
+				ProjectID:                "239520764276178946",
+				ProjectRoleKeys:          nil,
+				Settings:                 nil,
 			},
 		},
 	}

internal/query/oidc_settings.go

@@ -69,10 +69,10 @@ type OIDCSettings struct {
 	ResourceOwner string
 	Sequence      uint64
 
-	AccessTokenLifetime        time.Duration
-	IdTokenLifetime            time.Duration
-	RefreshTokenIdleExpiration time.Duration
-	RefreshTokenExpiration     time.Duration
+	AccessTokenLifetime        time.Duration `json:"access_token_lifetime,omitempty"`
+	IdTokenLifetime            time.Duration `json:"id_token_lifetime,omitempty"`
+	RefreshTokenIdleExpiration time.Duration `json:"refresh_token_idle_expiration,omitempty"`
+	RefreshTokenExpiration     time.Duration `json:"refresh_token_expiration,omitempty"`
 }
 
 func (q *Queries) OIDCSettingsByAggID(ctx context.Context, aggregateID string) (settings *OIDCSettings, err error) {

internal/query/testdata/oidc_client_jwt.json

@@ -22,6 +22,8 @@
   "public_keys": {
     "236647201860747266": "LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFB\nT0NBUThBTUlJQkNnS0NBUUVBMnVmQUwxYjcyYkl5MWFyK1dzNmIKR29oSkpRRkI3ZGZSYXBEcWVx\nTThVa3A2Q1ZkUHpxL3BPejF2aUFxNTB5eldaSnJ5Risyd3NoRkFLR0Y5QTIvQgoyWWY5YkpYUFov\nS2JrRnJZVDNOVHZZRGt2bGFTVGw5bU1uenJVMjlzNDhGMVBUV0tmQitDM2FNc09FRzFCdWZWCnM2\nM3FGNG5yRVBqU2JobGpJY285RlpxNFhwcEl6aE1RMGZEZEEvK1h5Z0NKcXZ1YUwwTGliTTFLcmxV\nZG51NzEKWWVraFNKakVQbnZPaXNYSWs0SVh5d29HSU93dGp4a0R2Tkl0UXZhTVZsZHI0L2tiNnV2\nYmdkV3dxNUV3QlpYcQpsb3cya3lKb3YzOFY0VWsySThrdVhwTGNucnB3NVRpbzJvb2lVRTI3YjB2\nSFpxQktPZWk5VW84OHFDcm4zRUt4CjZRSURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0t\nLS0K"
   },
-  "access_token_lifetime": 43200000000000,
-  "id_token_lifetime": 43200000000000
+  "settings": {
+    "access_token_lifetime": 43200000000000,
+    "id_token_lifetime": 43200000000000
+  }
 }

internal/query/testdata/oidc_client_no_settings.json

@@ -0,0 +1,30 @@
+{
+  "instance_id": "239520764275982338",
+  "app_id": "239520764276441090",
+  "client_id": "239520764779364354@zitadel",
+  "client_secret": null,
+  "redirect_uris": [
+    "http://test2-qucuh5.localhost:9000/ui/console/auth/callback",
+    "http://test.localhost.com:9000/ui/console/auth/callback"
+  ],
+  "response_types": [0],
+  "grant_types": [0],
+  "application_type": 1,
+  "auth_method_type": 2,
+  "post_logout_redirect_uris": [
+    "http://test2-qucuh5.localhost:9000/ui/console/signedout",
+    "http://test.localhost.com:9000/ui/console/signedout"
+  ],
+  "is_dev_mode": true,
+  "access_token_type": 0,
+  "access_token_role_assertion": false,
+  "id_token_role_assertion": false,
+  "id_token_userinfo_assertion": false,
+  "clock_skew": 0,
+  "additional_origins": null,
+  "project_id": "239520764276178946",
+  "state": 1,
+  "project_role_keys": null,
+  "public_keys": null,
+  "settings": null
+}

internal/query/testdata/oidc_client_public.json

@@ -20,6 +20,8 @@
   "state": 1,
   "project_role_keys": ["role1", "role2"],
   "public_keys": null,
-  "access_token_lifetime": 43200000000000,
-  "id_token_lifetime": 43200000000000
+  "settings": {
+    "access_token_lifetime": 43200000000000,
+    "id_token_lifetime": 43200000000000
+  }
 }

internal/query/testdata/oidc_client_secret.json

@@ -25,6 +25,8 @@
   "state": 1,
   "project_role_keys": ["role1", "role2"],
   "public_keys": null,
-  "access_token_lifetime": 43200000000000,
-  "id_token_lifetime": 43200000000000
+  "settings": {
+    "access_token_lifetime": 43200000000000,
+    "id_token_lifetime": 43200000000000
+  }
 }