feat: add additional origins on applications (#1691)

* feat: add additional origins on applications

* app additional redirects

* chore(deps-dev): bump @angular/cli from 11.2.8 to 11.2.11 in /console (#1706)

* fix: show org with regex (#1688)

* fix: flag mapping (#1699)

* chore(deps-dev): bump @angular/cli from 11.2.8 to 11.2.11 in /console

Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.2.8 to 11.2.11.
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Commits](https://github.com/angular/angular-cli/compare/v11.2.8...v11.2.11)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump stylelint from 13.10.0 to 13.13.1 in /console (#1703)

* fix: show org with regex (#1688)

* fix: flag mapping (#1699)

* chore(deps-dev): bump stylelint from 13.10.0 to 13.13.1 in /console

Bumps [stylelint](https://github.com/stylelint/stylelint) from 13.10.0 to 13.13.1.
- [Release notes](https://github.com/stylelint/stylelint/releases)
- [Changelog](https://github.com/stylelint/stylelint/blob/master/CHANGELOG.md)
- [Commits](https://github.com/stylelint/stylelint/compare/13.10.0...13.13.1)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @types/node from 14.14.37 to 15.0.1 in /console (#1702)

* fix: show org with regex (#1688)

* fix: flag mapping (#1699)

* chore(deps-dev): bump @types/node from 14.14.37 to 15.0.1 in /console

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 14.14.37 to 15.0.1.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump ts-protoc-gen from 0.14.0 to 0.15.0 in /console (#1701)

* fix: show org with regex (#1688)

* fix: flag mapping (#1699)

* chore(deps): bump ts-protoc-gen from 0.14.0 to 0.15.0 in /console

Bumps [ts-protoc-gen](https://github.com/improbable-eng/ts-protoc-gen) from 0.14.0 to 0.15.0.
- [Release notes](https://github.com/improbable-eng/ts-protoc-gen/releases)
- [Changelog](https://github.com/improbable-eng/ts-protoc-gen/blob/master/CHANGELOG.md)
- [Commits](https://github.com/improbable-eng/ts-protoc-gen/compare/0.14.0...0.15.0)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps-dev): bump @types/jasmine from 3.6.9 to 3.6.10 in /console (#1682)

Bumps [@types/jasmine](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jasmine) from 3.6.9 to 3.6.10.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jasmine)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump @types/google-protobuf in /console (#1681)

Bumps [@types/google-protobuf](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/google-protobuf) from 3.7.4 to 3.15.2.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/google-protobuf)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump grpc from 1.24.5 to 1.24.7 in /console (#1666)

Bumps [grpc](https://github.com/grpc/grpc-node) from 1.24.5 to 1.24.7.
- [Release notes](https://github.com/grpc/grpc-node/releases)
- [Commits](https://github.com/grpc/grpc-node/compare/grpc@1.24.5...grpc@1.24.7)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* lock

* chore(deps-dev): bump @angular/language-service from 11.2.9 to 11.2.12 in /console (#1704)

* fix: show org with regex (#1688)

* fix: flag mapping (#1699)

* chore(deps-dev): bump @angular/language-service in /console

Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.2.9 to 11.2.12.
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/11.2.12/packages/language-service)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* package lock

* downgrade grpc

* downgrade protobuf types

* revert npm packs 🥸

Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Silvan <silvan.reusser@gmail.com>
This commit is contained in:
Livio Amstutz 2021-05-19 09:17:38 +02:00 committed by GitHub
parent 18ed6633be
commit 2e8fa82261
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
30 changed files with 380 additions and 17 deletions

View File

@ -0,0 +1,28 @@
<form class="form" (ngSubmit)="add(originInput)">
<cnsl-form-field class="formfield">
<cnsl-label>{{ title }}</cnsl-label>
<input #originInput cnslInput [placeholder]="placeholder" [formControl]="redirectControl">
</cnsl-form-field>
<button matTooltip="{{'ACTIONS.ADD' | translate}}" type="submit" mat-icon-button
[disabled]="redirectControl.invalid || !canWrite">
<mat-icon>add</mat-icon>
</button>
</form>
<div class="uri-list">
<div *ngFor="let uri of urisList" class="uri-line">
<span class="uri"
[ngClass]="{'green': uri?.startsWith('https://'), 'red': !uri?.startsWith('https://')}">{{uri}}</span>
<span class="fill-space"></span>
<!-- TODO add regex later -->
<!-- <i *ngIf="!(uri | origin)" class="las la-exclamation red" [matTooltip]="'APP.NOTANORIGIN' | translate"></i> -->
<button matTooltip="{{'ACTIONS.DELETE' | translate}}" mat-icon-button (click)="remove(uri)" class="icon-button">
<mat-icon class="icon">cancel</mat-icon>
</button>
</div>
</div>
<p *ngIf="redirectControl.value && redirectControl.invalid" class="error">
{{'APP.OIDC.REDIRECTNOTVALID' | translate}}</p>

View File

@ -0,0 +1,62 @@
.form {
display: flex;
align-items: flex-end;
min-width: 320px;
.formfield {
flex: 1;
}
button {
margin-bottom: 14px;
margin-right: -.5rem;
}
}
.uri-list {
margin: 0 .5rem;
width: 100%;
.uri-line {
display: flex;
align-items: center;
.uri {
font-family: Consolas, Monaco, 'Andale Mono', 'Ubuntu Mono', monospace;
font-size: 14px;
}
.fill-space {
flex: 1;
}
i.green {
font-size: 1rem;
line-height: 35px;
height: 30px;
}
i.red {
font-size: 1.2rem;
}
.icon-button {
height: 30px;
line-height: 30px;
.icon {
font-size: 1rem !important;
}
&:not(:hover) {
color: var(--grey);
}
}
}
}
.error {
font-size: 13px;
color: #f44336;
margin: 0 .5rem 1.5rem .5rem;
}

View File

@ -0,0 +1,25 @@
import { ComponentFixture, TestBed } from '@angular/core/testing';
import { AdditionalOriginsComponent } from './additional-origins.component';
describe('AdditionalOriginsComponent', () => {
let component: AdditionalOriginsComponent;
let fixture: ComponentFixture<AdditionalOriginsComponent>;
beforeEach(async () => {
await TestBed.configureTestingModule({
declarations: [AdditionalOriginsComponent],
})
.compileComponents();
});
beforeEach(() => {
fixture = TestBed.createComponent(AdditionalOriginsComponent);
component = fixture.componentInstance;
fixture.detectChanges();
});
it('should create', () => {
expect(component).toBeTruthy();
});
});

View File

@ -0,0 +1,56 @@
import { Component, EventEmitter, Input, OnDestroy, OnInit, ViewChild } from '@angular/core';
import { FormControl } from '@angular/forms';
import { Observable, Subscription } from 'rxjs';
@Component({
selector: 'cnsl-additional-origins',
templateUrl: './additional-origins.component.html',
styleUrls: ['./additional-origins.component.scss'],
})
export class AdditionalOriginsComponent implements OnInit, OnDestroy {
@Input() title: string = '';
@Input() canWrite: boolean = false;
@Input() public urisList: string[] = [];
@Input() public redirectControl: FormControl = new FormControl({ value: '', disabled: true });
@Input() public changedUris: EventEmitter<string[]> = new EventEmitter();
@Input() public getValues: Observable<void> = new Observable();
public placeholder: string = '<scheme> "://" <hostname> [ ":" <port> ]';
@ViewChild('originInput') input!: any;
private sub: Subscription = new Subscription();
constructor() { }
ngOnInit(): void {
if (this.canWrite) {
this.redirectControl.enable();
}
this.sub = this.getValues.subscribe(() => {
this.add(this.input.nativeElement);
});
}
ngOnDestroy(): void {
this.sub.unsubscribe();
}
public add(input: any): void {
if (this.redirectControl.valid) {
if (input.value !== '' && input.value !== ' ' && input.value !== '/') {
this.urisList.push(input.value);
}
if (input) {
input.value = '';
}
}
}
public remove(redirect: any): void {
const index = this.urisList.indexOf(redirect);
if (index >= 0) {
this.urisList.splice(index, 1);
}
}
}

View File

@ -118,7 +118,6 @@
{{'APP.OIDC.REDIRECTDESCRIPTIONWEB' | translate}}
</cnsl-info-section>
<div style="margin: .5rem" class="divider"></div>
<cnsl-redirect-uris *ngIf="appType?.value !== undefined" class="redirect-section" [canWrite]="canWrite"
[devMode]="devMode?.value" [getValues]="requestRedirectValuesSubject$"
(changedUris)="redirectUrisList = $event" [urisList]="redirectUrisList"
@ -132,6 +131,27 @@
title="{{ 'APP.OIDC.POSTLOGOUTREDIRECT' | translate }}"
[isNative]="appType?.value == OIDCAppType.OIDC_APP_TYPE_NATIVE">
</cnsl-redirect-uris>
<div style="margin: .5rem" class="divider"></div>
<div class="additional-origins">
<p class="title">{{'APP.ADDITIONALORIGINS' | translate}}
<button mat-icon-button (click)="showAdditionalOrigins = !showAdditionalOrigins"
matTooltip="{{(showAdditionalOrigins ? 'ACTIONS.HIDE' : 'ACTIONS.SHOW') | translate}}">
<mat-icon *ngIf="!showAdditionalOrigins">expand_more</mat-icon>
<mat-icon *ngIf="showAdditionalOrigins">expand_less</mat-icon>
</button>
</p>
<ng-container *ngIf="showAdditionalOrigins">
<p class="desc">{{'APP.ADDITIONALORIGINSDESC' | translate}}</p>
<cnsl-additional-origins *ngIf="appType?.value !== undefined" class="input" [canWrite]="canWrite"
[getValues]="requestRedirectValuesSubject$" (changedUris)="additionalOriginsList = $event"
[urisList]="additionalOriginsList" title="{{ 'APP.ORIGINS' | translate }}">
</cnsl-additional-origins>
</ng-container>
</div>
<div style="margin: .5rem" class="divider"></div>
</div>
<app-auth-method-radio *ngIf="authMethods && initialAuthMethod && (app?.oidcConfig || app?.apiConfig)"

View File

@ -155,6 +155,26 @@
margin: 0 .5rem;
}
.additional-origins {
display: block;
width: 100%;
margin: 0 .5rem;
.title {
margin: 0;
}
.desc {
color: var(--grey);
font-size: 14px;
margin-top: 0;
}
.input {
width: 100%;
}
}
.formfield {
flex: 1 1 30%;
margin: 0 .5rem;

View File

@ -61,6 +61,7 @@ export class AppDetailComponent implements OnInit, OnDestroy {
public errorMessage: string = '';
public removable: boolean = true;
public addOnBlur: boolean = true;
public showAdditionalOrigins: boolean = false;
public readonly separatorKeysCodes: number[] = [ENTER, COMMA, SPACE];
public authMethods: RadioItemAuthType[] = [];
@ -102,6 +103,7 @@ export class AppDetailComponent implements OnInit, OnDestroy {
public redirectUrisList: string[] = [];
public postLogoutRedirectUrisList: string[] = [];
public additionalOriginsList: string[] = [];
public isZitadel: boolean = false;
public docs!: GetOIDCInformationResponse.AsObject;
@ -252,6 +254,10 @@ export class AppDetailComponent implements OnInit, OnDestroy {
if (this.app.oidcConfig?.postLogoutRedirectUrisList) {
this.postLogoutRedirectUrisList = this.app.oidcConfig.postLogoutRedirectUrisList;
}
if (this.app.oidcConfig?.additionalOriginsList) {
this.additionalOriginsList = this.app.oidcConfig.additionalOriginsList;
}
if (this.app.oidcConfig?.clockSkew) {
const inSecs = this.app.oidcConfig?.clockSkew.seconds +
this.app.oidcConfig?.clockSkew.nanos / 100000;
@ -445,6 +451,7 @@ export class AppDetailComponent implements OnInit, OnDestroy {
this.app.oidcConfig.authMethodType = this.authMethodType?.value;
this.app.oidcConfig.redirectUrisList = this.redirectUrisList;
this.app.oidcConfig.postLogoutRedirectUrisList = this.postLogoutRedirectUrisList;
this.app.oidcConfig.additionalOriginsList = this.additionalOriginsList;
this.app.oidcConfig.devMode = this.devMode?.value;
this.app.oidcConfig.accessTokenType = this.accessTokenType?.value;
this.app.oidcConfig.accessTokenRoleAssertion = this.accessTokenRoleAssertion?.value;

View File

@ -1,3 +1,4 @@
import { A11yModule } from '@angular/cdk/a11y';
import { CommonModule } from '@angular/common';
import { NgModule } from '@angular/core';
import { FormsModule, ReactiveFormsModule } from '@angular/forms';
@ -22,25 +23,28 @@ import { HasRoleModule } from 'src/app/directives/has-role/has-role.module';
import { AppRadioModule } from 'src/app/modules/app-radio/app-radio.module';
import { CardModule } from 'src/app/modules/card/card.module';
import { ChangesModule } from 'src/app/modules/changes/changes.module';
import { ClientKeysModule } from 'src/app/modules/client-keys/client-keys.module';
import { InfoSectionModule } from 'src/app/modules/info-section/info-section.module';
import { InputModule } from 'src/app/modules/input/input.module';
import { LinksModule } from 'src/app/modules/links/links.module';
import { MetaLayoutModule } from 'src/app/modules/meta-layout/meta-layout.module';
import { OriginPipeModule } from 'src/app/pipes/origin-pipe/origin-pipe.module';
import { RedirectPipeModule } from 'src/app/pipes/redirect-pipe/redirect-pipe.module';
import { AdditionalOriginsComponent } from './additional-origins/additional-origins.component';
import { AppCreateComponent } from './app-create/app-create.component';
import { AppDetailComponent } from './app-detail/app-detail.component';
import { AppSecretDialogComponent } from './app-secret-dialog/app-secret-dialog.component';
import { AppsRoutingModule } from './apps-routing.module';
import { A11yModule } from '@angular/cdk/a11y';
import { RedirectUrisComponent } from './redirect-uris/redirect-uris.component';
import { LinksModule } from 'src/app/modules/links/links.module';
import { RedirectPipeModule } from 'src/app/pipes/redirect-pipe/redirect-pipe.module';
import { ClientKeysModule } from 'src/app/modules/client-keys/client-keys.module';
@NgModule({
declarations: [
AppCreateComponent,
AppDetailComponent,
AppSecretDialogComponent,
RedirectUrisComponent,
AdditionalOriginsComponent,
],
imports: [
CommonModule,
@ -51,6 +55,7 @@ import { ClientKeysModule } from 'src/app/modules/client-keys/client-keys.module
AppsRoutingModule,
FormsModule,
TranslateModule,
OriginPipeModule,
ReactiveFormsModule,
HasRoleModule,
MatMenuModule,

View File

@ -0,0 +1,18 @@
import { CommonModule } from '@angular/common';
import { NgModule } from '@angular/core';
import { OriginPipe } from './origin.pipe';
@NgModule({
declarations: [
OriginPipe,
],
imports: [
CommonModule,
],
exports: [
OriginPipe,
],
})
export class OriginPipeModule { }

View File

@ -0,0 +1,10 @@
import { Pipe, PipeTransform } from '@angular/core';
@Pipe({
name: 'origin',
})
export class OriginPipe implements PipeTransform {
public transform(value: string): boolean {
return new RegExp(/^((https?:\/\/).*?([\w\d-]*\.[\w\d]+))($|\/.*$)/gm).test(value);
}
}

View File

@ -104,6 +104,8 @@
}
},
"ACTIONS": {
"SHOW":"Aufklappen",
"HIDE":"Zuklappen",
"SAVE": "Speichern",
"SAVENOW": "Speichern",
"NEW": "Neu",
@ -1056,6 +1058,10 @@
"AUTHMETHOD": "Authentifizierungsmethode",
"AUTHMETHODSECTION": "Authentifizierungsmethode",
"GRANT": "Berechtigungstypen",
"ADDITIONALORIGINS":"Zusätzliche Origins",
"ADDITIONALORIGINSDESC":"Wenn sie zusätzliche Origins definieren wollen, die nicht den Redirect URIs gleichzusätzen sind, können Sie dies hier tun.",
"ORIGINS":"Origins",
"NOTANORIGIN":"Der Angegebene Wert ist kein Origin.",
"OIDC": {
"INFO": {
"ISSUER": "Issuer",

View File

@ -104,6 +104,8 @@
}
},
"ACTIONS": {
"SHOW":"Show",
"HIDE":"Hide",
"SAVE": "Save",
"SAVENOW": "Save now",
"NEW": "New",
@ -1057,6 +1059,10 @@
"AUTHMETHOD": "Authentication Method",
"AUTHMETHODSECTION": "Authentication Method",
"GRANT": "Grant Types",
"ADDITIONALORIGINS":"Additional Origins",
"ADDITIONALORIGINSDESC":"If you want to add additional Origins to your app which is not used as a redirect you can do that here.",
"ORIGINS":"Origins",
"NOTANORIGIN":"The entered value is not an origin",
"OIDC": {
"INFO": {
"ISSUER": "Issuer",

View File

@ -84,6 +84,8 @@ title: zitadel/app.proto
| id_token_role_assertion | bool | - | |
| id_token_userinfo_assertion | bool | - | |
| clock_skew | google.protobuf.Duration | - | |
| additional_origins | repeated string | - | |
| allowed_origins | repeated string | - | |

View File

@ -2074,6 +2074,7 @@ Change OIDC identity provider configuration of the organisation
| id_token_role_assertion | bool | - | |
| id_token_userinfo_assertion | bool | - | |
| clock_skew | google.protobuf.Duration | - | duration.lte.seconds: 5<br /> duration.lte.nanos: 0<br /> duration.gte.seconds: 0<br /> duration.gte.nanos: 0<br /> |
| additional_origins | repeated string | - | |
@ -5194,6 +5195,7 @@ This is an empty request
| id_token_role_assertion | bool | - | |
| id_token_userinfo_assertion | bool | - | |
| clock_skew | google.protobuf.Duration | - | duration.lte.seconds: 5<br /> duration.lte.nanos: 0<br /> duration.gte.seconds: 0<br /> duration.gte.nanos: 0<br /> |
| additional_origins | repeated string | - | |

View File

@ -52,6 +52,7 @@ func AddOIDCAppRequestToDomain(req *mgmt_pb.AddOIDCAppRequest) *domain.OIDCApp {
IDTokenRoleAssertion: req.IdTokenRoleAssertion,
IDTokenUserinfoAssertion: req.IdTokenUserinfoAssertion,
ClockSkew: req.ClockSkew.AsDuration(),
AdditionalOrigins: req.AdditionalOrigins,
}
}
@ -90,6 +91,7 @@ func UpdateOIDCAppConfigRequestToDomain(app *mgmt_pb.UpdateOIDCAppConfigRequest)
IDTokenRoleAssertion: app.IdTokenRoleAssertion,
IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,
ClockSkew: app.ClockSkew.AsDuration(),
AdditionalOrigins: app.AdditionalOrigins,
}
}

View File

@ -55,6 +55,8 @@ func AppOIDCConfigToPb(app *proj_model.ApplicationView) *app_pb.App_OidcConfig {
IdTokenRoleAssertion: app.IDTokenRoleAssertion,
IdTokenUserinfoAssertion: app.IDTokenUserinfoAssertion,
ClockSkew: durationpb.New(app.ClockSkew),
AdditionalOrigins: app.AdditionalOrigins,
AllowedOrigins: app.OriginAllowList,
},
}
}

View File

@ -21,3 +21,12 @@ func IsOriginAllowed(allowList []string, origin string) bool {
}
return false
}
//IsOrigin checks if provided string is an origin (scheme://hostname[:port]) without path, query or fragment
func IsOrigin(rawOrigin string) bool {
parsedUrl, err := url.Parse(rawOrigin)
if err != nil {
return false
}
return parsedUrl.Scheme != "" && parsedUrl.Host != "" && parsedUrl.Path == "" && len(parsedUrl.Query()) == 0 && parsedUrl.Fragment == ""
}

View File

@ -81,7 +81,8 @@ func (c *Commands) addOIDCApplication(ctx context.Context, projectAgg *eventstor
oidcApp.AccessTokenRoleAssertion,
oidcApp.IDTokenRoleAssertion,
oidcApp.IDTokenUserinfoAssertion,
oidcApp.ClockSkew))
oidcApp.ClockSkew,
oidcApp.AdditionalOrigins))
return events, stringPw, nil
}
@ -115,7 +116,8 @@ func (c *Commands) ChangeOIDCApplication(ctx context.Context, oidc *domain.OIDCA
oidc.AccessTokenRoleAssertion,
oidc.IDTokenRoleAssertion,
oidc.IDTokenUserinfoAssertion,
oidc.ClockSkew)
oidc.ClockSkew,
oidc.AdditionalOrigins)
if err != nil {
return nil, err
}

View File

@ -33,6 +33,7 @@ type OIDCApplicationWriteModel struct {
IDTokenUserinfoAssertion bool
ClockSkew time.Duration
State domain.AppState
AdditionalOrigins []string
}
func NewOIDCApplicationWriteModelWithAppID(projectID, appID, resourceOwner string) *OIDCApplicationWriteModel {
@ -151,6 +152,7 @@ func (wm *OIDCApplicationWriteModel) appendAddOIDCEvent(e *project.OIDCConfigAdd
wm.IDTokenRoleAssertion = e.IDTokenRoleAssertion
wm.IDTokenUserinfoAssertion = e.IDTokenUserinfoAssertion
wm.ClockSkew = e.ClockSkew
wm.AdditionalOrigins = e.AdditionalOrigins
}
func (wm *OIDCApplicationWriteModel) appendChangeOIDCEvent(e *project.OIDCConfigChangedEvent) {
@ -193,6 +195,9 @@ func (wm *OIDCApplicationWriteModel) appendChangeOIDCEvent(e *project.OIDCConfig
if e.ClockSkew != nil {
wm.ClockSkew = *e.ClockSkew
}
if e.AdditionalOrigins != nil {
wm.AdditionalOrigins = *e.AdditionalOrigins
}
}
func (wm *OIDCApplicationWriteModel) Query() *eventstore.SearchQueryBuilder {
@ -229,6 +234,7 @@ func (wm *OIDCApplicationWriteModel) NewChangedEvent(
idTokenRoleAssertion,
idTokenUserinfoAssertion bool,
clockSkew time.Duration,
additionalOrigins []string,
) (*project.OIDCConfigChangedEvent, bool, error) {
changes := make([]project.OIDCConfigChanges, 0)
var err error
@ -272,6 +278,9 @@ func (wm *OIDCApplicationWriteModel) NewChangedEvent(
if wm.ClockSkew != clockSkew {
changes = append(changes, project.ChangeClockSkew(clockSkew))
}
if !reflect.DeepEqual(wm.AdditionalOrigins, additionalOrigins) {
changes = append(changes, project.ChangeAdditionalOrigins(additionalOrigins))
}
if len(changes) == 0 {
return nil, false, nil
}

View File

@ -151,7 +151,8 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
true,
true,
true,
time.Second*1),
time.Second*1,
[]string{"https://sub.test.ch"}),
),
},
uniqueConstraintsFromEventConstraint(project.NewAddApplicationUniqueConstraint("app", "project1")),
@ -180,6 +181,7 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
IDTokenRoleAssertion: true,
IDTokenUserinfoAssertion: true,
ClockSkew: time.Second * 1,
AdditionalOrigins: []string{"https://sub.test.ch"},
},
resourceOwner: "org1",
},
@ -206,6 +208,7 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
IDTokenRoleAssertion: true,
IDTokenUserinfoAssertion: true,
ClockSkew: time.Second * 1,
AdditionalOrigins: []string{"https://sub.test.ch"},
State: domain.AppStateActive,
Compliance: &domain.Compliance{},
},
@ -382,7 +385,8 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
true,
true,
true,
time.Second*1),
time.Second*1,
[]string{"https://sub.test.ch"}),
),
),
),
@ -408,6 +412,7 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
IDTokenRoleAssertion: true,
IDTokenUserinfoAssertion: true,
ClockSkew: time.Second * 1,
AdditionalOrigins: []string{"https://sub.test.ch"},
},
resourceOwner: "org1",
},
@ -451,7 +456,8 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
true,
true,
true,
time.Second*1),
time.Second*1,
[]string{"https://sub.test.ch"}),
),
),
expectPush(
@ -487,6 +493,7 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
IDTokenRoleAssertion: false,
IDTokenUserinfoAssertion: false,
ClockSkew: time.Second * 2,
AdditionalOrigins: []string{"https://sub.test.ch"},
},
resourceOwner: "org1",
},
@ -512,6 +519,7 @@ func TestCommandSide_ChangeOIDCApplication(t *testing.T) {
IDTokenRoleAssertion: false,
IDTokenUserinfoAssertion: false,
ClockSkew: time.Second * 2,
AdditionalOrigins: []string{"https://sub.test.ch"},
Compliance: &domain.Compliance{},
State: domain.AppStateActive,
},
@ -645,7 +653,8 @@ func TestCommandSide_ChangeOIDCApplicationSecret(t *testing.T) {
true,
true,
true,
time.Second*1),
time.Second*1,
[]string{"https://sub.test.ch"}),
),
),
expectPush(
@ -695,6 +704,7 @@ func TestCommandSide_ChangeOIDCApplicationSecret(t *testing.T) {
IDTokenRoleAssertion: true,
IDTokenUserinfoAssertion: true,
ClockSkew: time.Second * 1,
AdditionalOrigins: []string{"https://sub.test.ch"},
State: domain.AppStateActive,
},
},

View File

@ -51,6 +51,7 @@ func oidcWriteModelToOIDCConfig(writeModel *OIDCApplicationWriteModel) *domain.O
IDTokenRoleAssertion: writeModel.IDTokenRoleAssertion,
IDTokenUserinfoAssertion: writeModel.IDTokenUserinfoAssertion,
ClockSkew: writeModel.ClockSkew,
AdditionalOrigins: writeModel.AdditionalOrigins,
}
}

View File

@ -4,6 +4,7 @@ import (
"strings"
"time"
http_util "github.com/caos/zitadel/internal/api/http"
"github.com/caos/zitadel/internal/crypto"
"github.com/caos/zitadel/internal/eventstore/v1/models"
)
@ -43,6 +44,7 @@ type OIDCApp struct {
IDTokenRoleAssertion bool
IDTokenUserinfoAssertion bool
ClockSkew time.Duration
AdditionalOrigins []string
State AppState
}
@ -119,7 +121,7 @@ const (
)
func (a *OIDCApp) IsValid() bool {
if a.ClockSkew > time.Second*5 || a.ClockSkew < time.Second*0 {
if a.ClockSkew > time.Second*5 || a.ClockSkew < time.Second*0 || !a.OriginsValid() {
return false
}
grantTypes := a.getRequiredGrantTypes()
@ -135,6 +137,15 @@ func (a *OIDCApp) IsValid() bool {
return true
}
func (a *OIDCApp) OriginsValid() bool {
for _, origin := range a.AdditionalOrigins {
if !http_util.IsOrigin(origin) {
return false
}
}
return true
}
func (a *OIDCApp) getRequiredGrantTypes() []OIDCGrantType {
grantTypes := make([]OIDCGrantType, 0)
implicit := false

View File

@ -1,9 +1,10 @@
package domain
import (
"github.com/caos/zitadel/internal/eventstore/v1/models"
"testing"
"time"
"github.com/caos/zitadel/internal/eventstore/v1/models"
)
func TestApplicationValid(t *testing.T) {
@ -160,6 +161,20 @@ func TestApplicationValid(t *testing.T) {
},
result: true,
},
{
name: "invalid oidc application: invalid origin",
args: args{
app: &OIDCApp{
ObjectRoot: models.ObjectRoot{AggregateID: "AggregateID"},
AppID: "AppID",
AppName: "Name",
ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode, OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
GrantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
AdditionalOrigins: []string{"https://test.com/test"},
},
},
result: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {

View File

@ -30,6 +30,7 @@ type ApplicationView struct {
ComplianceProblems []string
DevMode bool
OriginAllowList []string
AdditionalOrigins []string
AccessTokenType OIDCTokenType
IDTokenRoleAssertion bool
AccessTokenRoleAssertion bool

View File

@ -45,6 +45,7 @@ type ApplicationView struct {
ComplianceProblems pq.StringArray `json:"-" gorm:"column:compliance_problems"`
DevMode bool `json:"devMode" gorm:"column:dev_mode"`
OriginAllowList pq.StringArray `json:"-" gorm:"column:origin_allow_list"`
AdditionalOrigins pq.StringArray `json:"additionalOrigins" gorm:"column:additional_origins"`
AccessTokenType int32 `json:"accessTokenType" gorm:"column:access_token_type"`
AccessTokenRoleAssertion bool `json:"accessTokenRoleAssertion" gorm:"column:access_token_role_assertion"`
IDTokenRoleAssertion bool `json:"idTokenRoleAssertion" gorm:"column:id_token_role_assertion"`
@ -79,6 +80,7 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
ComplianceProblems: app.ComplianceProblems,
DevMode: app.DevMode,
OriginAllowList: app.OriginAllowList,
AdditionalOrigins: app.AdditionalOrigins,
AccessTokenType: model.OIDCTokenType(app.AccessTokenType),
AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
IDTokenRoleAssertion: app.IDTokenRoleAssertion,
@ -213,6 +215,11 @@ func (a *ApplicationView) setOriginAllowList() error {
allowList = append(allowList, origin)
}
}
for _, origin := range a.AdditionalOrigins {
if !http_util.IsOriginAllowed(allowList, origin) {
allowList = append(allowList, origin)
}
}
a.OriginAllowList = allowList
return nil
}

View File

@ -3,12 +3,12 @@ package project
import (
"context"
"encoding/json"
"github.com/caos/zitadel/internal/eventstore"
"time"
"github.com/caos/zitadel/internal/crypto"
"github.com/caos/zitadel/internal/domain"
"github.com/caos/zitadel/internal/errors"
"github.com/caos/zitadel/internal/eventstore"
"github.com/caos/zitadel/internal/eventstore/repository"
)
@ -39,6 +39,7 @@ type OIDCConfigAddedEvent struct {
IDTokenRoleAssertion bool `json:"idTokenRoleAssertion,omitempty"`
IDTokenUserinfoAssertion bool `json:"idTokenUserinfoAssertion,omitempty"`
ClockSkew time.Duration `json:"clockSkew,omitempty"`
AdditionalOrigins []string `json:"additionalOrigins,omitempty"`
}
func (e *OIDCConfigAddedEvent) Data() interface{} {
@ -68,6 +69,7 @@ func NewOIDCConfigAddedEvent(
idTokenRoleAssertion bool,
idTokenUserinfoAssertion bool,
clockSkew time.Duration,
additionalOrigins []string,
) *OIDCConfigAddedEvent {
return &OIDCConfigAddedEvent{
BaseEvent: *eventstore.NewBaseEventForPush(
@ -91,6 +93,7 @@ func NewOIDCConfigAddedEvent(
IDTokenRoleAssertion: idTokenRoleAssertion,
IDTokenUserinfoAssertion: idTokenUserinfoAssertion,
ClockSkew: clockSkew,
AdditionalOrigins: additionalOrigins,
}
}
@ -124,6 +127,7 @@ type OIDCConfigChangedEvent struct {
IDTokenRoleAssertion *bool `json:"idTokenRoleAssertion,omitempty"`
IDTokenUserinfoAssertion *bool `json:"idTokenUserinfoAssertion,omitempty"`
ClockSkew *time.Duration `json:"clockSkew,omitempty"`
AdditionalOrigins *[]string `json:"additionalOrigins,omitempty"`
}
func (e *OIDCConfigChangedEvent) Data() interface{} {
@ -238,6 +242,12 @@ func ChangeClockSkew(clockSkew time.Duration) func(event *OIDCConfigChangedEvent
}
}
func ChangeAdditionalOrigins(additionalOrigins []string) func(event *OIDCConfigChangedEvent) {
return func(e *OIDCConfigChangedEvent) {
e.AdditionalOrigins = &additionalOrigins
}
}
func OIDCConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
e := &OIDCConfigChangedEvent{
BaseEvent: *eventstore.BaseEventFromRepo(event),

View File

@ -0,0 +1,3 @@
ALTER TABLE auth.applications ADD COLUMN additional_origins TEXT ARRAY;
ALTER TABLE authz.applications ADD COLUMN additional_origins TEXT ARRAY;
ALTER TABLE management.applications ADD COLUMN additional_origins TEXT ARRAY;

View File

@ -65,7 +65,7 @@ message AppNameQuery {
message OIDCConfig {
repeated string redirect_uris = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"console.zitadel.ch/authorized\"]";
example: "[\"https://console.zitadel.ch/auth/callback\"]";
description: "Callback URI of the authorization request where the code or tokens will be sent to";
}
];
@ -103,7 +103,7 @@ message OIDCConfig {
];
repeated string post_logout_redirect_uris = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"console.zitadel.ch/logout\"]";
example: "[\"https://console.zitadel.ch/logout\"]";
description: "ZITADEL will redirect to this link after a successful logout";
}
];
@ -154,6 +154,18 @@ message OIDCConfig {
// max: "5s";
}
];
repeated string additional_origins = 18 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"https://console.zitadel.ch/auth/callback\"]";
description: "additional origins (other than the redirect_uris) from where the api can be used";
}
];
repeated string allowed_origins = 19 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"https://console.zitadel.ch/auth/callback\"]";
description: "all allowed origins from where the api can be used";
}
];
}
enum OIDCResponseType {

View File

@ -2953,6 +2953,7 @@ message AddOIDCAppRequest {
bool id_token_role_assertion = 13;
bool id_token_userinfo_assertion = 14;
google.protobuf.Duration clock_skew = 15 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}];
repeated string additional_origins = 16;
}
message AddOIDCAppResponse {
@ -3023,6 +3024,7 @@ message UpdateOIDCAppConfigRequest {
bool id_token_role_assertion = 12;
bool id_token_userinfo_assertion = 13;
google.protobuf.Duration clock_skew = 14 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}];
repeated string additional_origins = 15;
}
message UpdateOIDCAppConfigResponse {