mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 04:57:33 +00:00
feat: User login commands (#1228)
* feat: change login to command side * feat: change login to command side * fix: fix push on user * feat: user command side * feat: sign out * feat: command side login * feat: command side login * feat: fix register user * feat: fix register user * feat: fix web auth n events * feat: add machine keys * feat: send codes * feat: move authrequest to domain * feat: move authrequest to domain * feat: webauthn working * feat: external users * feat: external users login * feat: notify users * fix: tests * feat: cascade remove user grants on project remove * fix: webauthn * fix: pr requests * fix: register human with member * fix: fix bugs * fix: fix bugs
This commit is contained in:
Fabi
@@ -12,7 +12,7 @@ import (
|
||||
func loginPolicyToDomain(policy *admin.DefaultLoginPolicyRequest) *domain.LoginPolicy {
|
||||
return &domain.LoginPolicy{
|
||||
AllowUsernamePassword: policy.AllowUsernamePassword,
|
||||
AllowExternalIdp: policy.AllowExternalIdp,
|
||||
AllowExternalIDP: policy.AllowExternalIdp,
|
||||
AllowRegister: policy.AllowRegister,
|
||||
ForceMFA: policy.ForceMfa,
|
||||
PasswordlessType: passwordlessTypeToDomain(policy.PasswordlessType),
|
||||
@@ -22,7 +22,7 @@ func loginPolicyToDomain(policy *admin.DefaultLoginPolicyRequest) *domain.LoginP
|
||||
func loginPolicyFromDomain(policy *domain.LoginPolicy) *admin.DefaultLoginPolicy {
|
||||
return &admin.DefaultLoginPolicy{
|
||||
AllowUsernamePassword: policy.AllowUsernamePassword,
|
||||
AllowExternalIdp: policy.AllowExternalIdp,
|
||||
AllowExternalIdp: policy.AllowExternalIDP,
|
||||
AllowRegister: policy.AllowRegister,
|
||||
ForceMfa: policy.ForceMFA,
|
||||
PasswordlessType: passwordlessTypeFromDomain(policy.PasswordlessType),
|
||||
|
||||
@@ -162,19 +162,19 @@ func (s *Server) AddMfaOTP(ctx context.Context, _ *empty.Empty) (_ *auth.MfaOtpR
|
||||
|
||||
func (s *Server) VerifyMfaOTP(ctx context.Context, request *auth.VerifyMfaOtp) (*empty.Empty, error) {
|
||||
ctxData := authz.GetCtxData(ctx)
|
||||
err := s.command.CheckMFAOTPSetup(ctx, ctxData.UserID, request.Code, "", ctxData.ResourceOwner)
|
||||
err := s.command.HumanCheckMFAOTPSetup(ctx, ctxData.UserID, request.Code, "", ctxData.ResourceOwner)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) RemoveMfaOTP(ctx context.Context, _ *empty.Empty) (_ *empty.Empty, err error) {
|
||||
ctxData := authz.GetCtxData(ctx)
|
||||
err = s.command.RemoveHumanOTP(ctx, ctxData.UserID, ctxData.OrgID)
|
||||
err = s.command.HumanRemoveOTP(ctx, ctxData.UserID, ctxData.OrgID)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) AddMyMfaU2F(ctx context.Context, _ *empty.Empty) (_ *auth.WebAuthNResponse, err error) {
|
||||
ctxData := authz.GetCtxData(ctx)
|
||||
u2f, err := s.command.AddHumanU2F(ctx, ctxData.UserID, ctxData.ResourceOwner, false)
|
||||
u2f, err := s.command.HumanAddU2FSetup(ctx, ctxData.UserID, ctxData.ResourceOwner, false)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -183,13 +183,13 @@ func (s *Server) AddMyMfaU2F(ctx context.Context, _ *empty.Empty) (_ *auth.WebAu
|
||||
|
||||
func (s *Server) VerifyMyMfaU2F(ctx context.Context, request *auth.VerifyWebAuthN) (*empty.Empty, error) {
|
||||
ctxData := authz.GetCtxData(ctx)
|
||||
err := s.command.VerifyHumanU2F(ctx, ctxData.UserID, ctxData.OrgID, request.TokenName, "", request.PublicKeyCredential)
|
||||
err := s.command.HumanVerifyU2FSetup(ctx, ctxData.UserID, ctxData.OrgID, request.TokenName, "", request.PublicKeyCredential)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) RemoveMyMfaU2F(ctx context.Context, id *auth.WebAuthNTokenID) (*empty.Empty, error) {
|
||||
ctxData := authz.GetCtxData(ctx)
|
||||
err := s.command.RemoveHumanU2F(ctx, ctxData.UserID, id.Id, ctxData.OrgID)
|
||||
err := s.command.HumanRemoveU2F(ctx, ctxData.UserID, id.Id, ctxData.OrgID)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
@@ -203,7 +203,7 @@ func (s *Server) GetMyPasswordless(ctx context.Context, _ *empty.Empty) (_ *auth
|
||||
|
||||
func (s *Server) AddMyPasswordless(ctx context.Context, _ *empty.Empty) (_ *auth.WebAuthNResponse, err error) {
|
||||
ctxData := authz.GetCtxData(ctx)
|
||||
u2f, err := s.command.AddHumanPasswordless(ctx, ctxData.UserID, ctxData.ResourceOwner, false)
|
||||
u2f, err := s.command.HumanAddPasswordlessSetup(ctx, ctxData.UserID, ctxData.ResourceOwner, false)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -212,13 +212,13 @@ func (s *Server) AddMyPasswordless(ctx context.Context, _ *empty.Empty) (_ *auth
|
||||
|
||||
func (s *Server) VerifyMyPasswordless(ctx context.Context, request *auth.VerifyWebAuthN) (*empty.Empty, error) {
|
||||
ctxData := authz.GetCtxData(ctx)
|
||||
err := s.command.VerifyHumanPasswordless(ctx, ctxData.UserID, ctxData.OrgID, request.TokenName, "", request.PublicKeyCredential)
|
||||
err := s.command.HumanHumanPasswordlessSetup(ctx, ctxData.UserID, ctxData.OrgID, request.TokenName, "", request.PublicKeyCredential)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) RemoveMyPasswordless(ctx context.Context, id *auth.WebAuthNTokenID) (*empty.Empty, error) {
|
||||
ctxData := authz.GetCtxData(ctx)
|
||||
err := s.command.RemoveHumanPasswordless(ctx, ctxData.UserID, id.Id, ctxData.ResourceOwner)
|
||||
err := s.command.HumanRemovePasswordless(ctx, ctxData.UserID, id.Id, ctxData.ResourceOwner)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
|
||||
@@ -20,7 +20,7 @@ func loginPolicyRequestToDomain(ctx context.Context, policy *management.LoginPol
|
||||
AggregateID: authz.GetCtxData(ctx).OrgID,
|
||||
},
|
||||
AllowUsernamePassword: policy.AllowUsernamePassword,
|
||||
AllowExternalIdp: policy.AllowExternalIdp,
|
||||
AllowExternalIDP: policy.AllowExternalIdp,
|
||||
AllowRegister: policy.AllowRegister,
|
||||
ForceMFA: policy.ForceMfa,
|
||||
PasswordlessType: passwordlessTypeToDomain(policy.PasswordlessType),
|
||||
@@ -30,7 +30,7 @@ func loginPolicyRequestToDomain(ctx context.Context, policy *management.LoginPol
|
||||
func loginPolicyFromDomain(policy *domain.LoginPolicy) *management.LoginPolicy {
|
||||
return &management.LoginPolicy{
|
||||
AllowUsernamePassword: policy.AllowUsernamePassword,
|
||||
AllowExternalIdp: policy.AllowExternalIdp,
|
||||
AllowExternalIdp: policy.AllowExternalIDP,
|
||||
AllowRegister: policy.AllowRegister,
|
||||
ChangeDate: timestamppb.New(policy.ChangeDate),
|
||||
ForceMfa: policy.ForceMFA,
|
||||
|
||||
@@ -2,7 +2,6 @@ package management
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/golang/protobuf/ptypes/empty"
|
||||
|
||||
"github.com/caos/zitadel/internal/api/authz"
|
||||
@@ -36,7 +35,11 @@ func (s *Server) ReactivateProject(ctx context.Context, in *management.ProjectID
|
||||
}
|
||||
|
||||
func (s *Server) RemoveProject(ctx context.Context, in *management.ProjectID) (*empty.Empty, error) {
|
||||
err := s.command.RemoveProject(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
|
||||
grants, err := s.usergrant.UserGrantsByProjectID(ctx, in.Id)
|
||||
if err != nil {
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
err = s.command.RemoveProject(ctx, in.Id, authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants)...)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
|
||||
@@ -217,11 +217,11 @@ func (s *Server) GetUserMfas(ctx context.Context, userID *management.UserID) (*m
|
||||
}
|
||||
|
||||
func (s *Server) RemoveMfaOTP(ctx context.Context, userID *management.UserID) (*empty.Empty, error) {
|
||||
return &empty.Empty{}, s.command.RemoveHumanOTP(ctx, userID.Id, authz.GetCtxData(ctx).OrgID)
|
||||
return &empty.Empty{}, s.command.HumanRemoveOTP(ctx, userID.Id, authz.GetCtxData(ctx).OrgID)
|
||||
}
|
||||
|
||||
func (s *Server) RemoveMfaU2F(ctx context.Context, webAuthNTokenID *management.WebAuthNTokenID) (*empty.Empty, error) {
|
||||
return &empty.Empty{}, s.command.RemoveHumanU2F(ctx, webAuthNTokenID.UserId, webAuthNTokenID.Id, authz.GetCtxData(ctx).OrgID)
|
||||
return &empty.Empty{}, s.command.HumanRemoveU2F(ctx, webAuthNTokenID.UserId, webAuthNTokenID.Id, authz.GetCtxData(ctx).OrgID)
|
||||
}
|
||||
|
||||
func (s *Server) GetPasswordless(ctx context.Context, userID *management.UserID) (_ *management.WebAuthNTokens, err error) {
|
||||
@@ -233,7 +233,7 @@ func (s *Server) GetPasswordless(ctx context.Context, userID *management.UserID)
|
||||
}
|
||||
|
||||
func (s *Server) RemovePasswordless(ctx context.Context, id *management.WebAuthNTokenID) (*empty.Empty, error) {
|
||||
return &empty.Empty{}, s.command.RemoveHumanPasswordless(ctx, id.UserId, id.Id, authz.GetCtxData(ctx).OrgID)
|
||||
return &empty.Empty{}, s.command.HumanRemovePasswordless(ctx, id.UserId, id.Id, authz.GetCtxData(ctx).OrgID)
|
||||
}
|
||||
|
||||
func (s *Server) SearchUserMemberships(ctx context.Context, in *management.UserMembershipSearchRequest) (*management.UserMembershipSearchResponse, error) {
|
||||
|
||||
@@ -177,3 +177,11 @@ func usergrantStateFromDomain(state domain.UserGrantState) management.UserGrantS
|
||||
return management.UserGrantState_USERGRANTSTATE_UNSPECIFIED
|
||||
}
|
||||
}
|
||||
|
||||
func userGrantsToIDs(userGrants []*grant_model.UserGrantView) []string {
|
||||
converted := make([]string, len(userGrants))
|
||||
for i, grant := range userGrants {
|
||||
converted[i] = grant.ID
|
||||
}
|
||||
return converted
|
||||
}
|
||||
|
||||
@@ -2,21 +2,22 @@ package management
|
||||
|
||||
import (
|
||||
"context"
|
||||
"github.com/caos/zitadel/internal/api/authz"
|
||||
|
||||
"github.com/caos/zitadel/pkg/grpc/management"
|
||||
"github.com/golang/protobuf/ptypes/empty"
|
||||
)
|
||||
|
||||
func (s *Server) AddMachineKey(ctx context.Context, req *management.AddMachineKeyRequest) (*management.AddMachineKeyResponse, error) {
|
||||
key, err := s.user.AddMachineKey(ctx, addMachineKeyToModel(req))
|
||||
key, err := s.command.AddUserMachineKey(ctx, addMachineKeyToDomain(req), authz.GetCtxData(ctx).OrgID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return addMachineKeyFromModel(key), nil
|
||||
return addMachineKeyFromDomain(key), nil
|
||||
}
|
||||
|
||||
func (s *Server) DeleteMachineKey(ctx context.Context, req *management.MachineKeyIDRequest) (*empty.Empty, error) {
|
||||
err := s.user.RemoveMachineKey(ctx, req.UserId, req.KeyId)
|
||||
err := s.command.RemoveUserMachineKey(ctx, req.UserId, req.KeyId, authz.GetCtxData(ctx).OrgID)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
|
||||
@@ -2,6 +2,7 @@ package management
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"google.golang.org/protobuf/types/known/timestamppb"
|
||||
"time"
|
||||
|
||||
"github.com/caos/zitadel/internal/api/authz"
|
||||
@@ -75,7 +76,7 @@ func machineKeyViewFromModel(key *usr_model.MachineKeyView) *management.MachineK
|
||||
}
|
||||
}
|
||||
|
||||
func addMachineKeyToModel(key *management.AddMachineKeyRequest) *usr_model.MachineKey {
|
||||
func addMachineKeyToDomain(key *management.AddMachineKeyRequest) *domain.MachineKey {
|
||||
expirationDate := time.Time{}
|
||||
if key.ExpirationDate != nil {
|
||||
var err error
|
||||
@@ -83,20 +84,14 @@ func addMachineKeyToModel(key *management.AddMachineKeyRequest) *usr_model.Machi
|
||||
logging.Log("MANAG-iNshR").OnError(err).Debug("unable to parse expiration date")
|
||||
}
|
||||
|
||||
return &usr_model.MachineKey{
|
||||
return &domain.MachineKey{
|
||||
ExpirationDate: expirationDate,
|
||||
Type: machineKeyTypeToModel(key.Type),
|
||||
Type: machineKeyTypeToDomain(key.Type),
|
||||
ObjectRoot: models.ObjectRoot{AggregateID: key.UserId},
|
||||
}
|
||||
}
|
||||
|
||||
func addMachineKeyFromModel(key *usr_model.MachineKey) *management.AddMachineKeyResponse {
|
||||
creationDate, err := ptypes.TimestampProto(key.CreationDate)
|
||||
logging.Log("MANAG-dlb8m").OnError(err).Debug("unable to parse cretaion date")
|
||||
|
||||
expirationDate, err := ptypes.TimestampProto(key.ExpirationDate)
|
||||
logging.Log("MANAG-dlb8m").OnError(err).Debug("unable to parse cretaion date")
|
||||
|
||||
func addMachineKeyFromDomain(key *domain.MachineKey) *management.AddMachineKeyResponse {
|
||||
detail, err := json.Marshal(struct {
|
||||
Type string `json:"type"`
|
||||
KeyID string `json:"keyId"`
|
||||
@@ -112,20 +107,29 @@ func addMachineKeyFromModel(key *usr_model.MachineKey) *management.AddMachineKey
|
||||
|
||||
return &management.AddMachineKeyResponse{
|
||||
Id: key.KeyID,
|
||||
CreationDate: creationDate,
|
||||
ExpirationDate: expirationDate,
|
||||
CreationDate: timestamppb.New(key.CreationDate),
|
||||
ExpirationDate: timestamppb.New(key.ExpirationDate),
|
||||
Sequence: key.Sequence,
|
||||
KeyDetails: detail,
|
||||
Type: machineKeyTypeFromModel(key.Type),
|
||||
Type: machineKeyTypeFromDomain(key.Type),
|
||||
}
|
||||
}
|
||||
|
||||
func machineKeyTypeToModel(typ management.MachineKeyType) usr_model.MachineKeyType {
|
||||
func machineKeyTypeToDomain(typ management.MachineKeyType) domain.MachineKeyType {
|
||||
switch typ {
|
||||
case management.MachineKeyType_MACHINEKEY_JSON:
|
||||
return usr_model.MachineKeyTypeJSON
|
||||
return domain.MachineKeyTypeJSON
|
||||
default:
|
||||
return usr_model.MachineKeyTypeNONE
|
||||
return domain.MachineKeyTypeNONE
|
||||
}
|
||||
}
|
||||
|
||||
func machineKeyTypeFromDomain(typ domain.MachineKeyType) management.MachineKeyType {
|
||||
switch typ {
|
||||
case domain.MachineKeyTypeJSON:
|
||||
return management.MachineKeyType_MACHINEKEY_JSON
|
||||
default:
|
||||
return management.MachineKeyType_MACHINEKEY_UNSPECIFIED
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -89,7 +89,7 @@ func (o *OPStorage) CreateToken(ctx context.Context, req op.TokenRequest) (_ str
|
||||
userAgentID = authReq.AgentID
|
||||
applicationID = authReq.ApplicationID
|
||||
}
|
||||
resp, err := o.repo.CreateToken(ctx, userAgentID, applicationID, req.GetSubject(), req.GetAudience(), req.GetScopes(), o.defaultAccessTokenLifetime) //PLANNED: lifetime from client
|
||||
resp, err := o.command.CreateUserToken(ctx, authReq.UserOrgID, userAgentID, applicationID, req.GetSubject(), req.GetAudience(), req.GetScopes(), o.defaultAccessTokenLifetime) //PLANNED: lifetime from client
|
||||
if err != nil {
|
||||
return "", time.Time{}, err
|
||||
}
|
||||
@@ -113,7 +113,11 @@ func (o *OPStorage) TerminateSession(ctx context.Context, userID, clientID strin
|
||||
if !ok {
|
||||
return errors.ThrowPreconditionFailed(nil, "OIDC-fso7F", "no user agent id")
|
||||
}
|
||||
return o.repo.SignOut(ctx, userAgentID)
|
||||
userIDs, err := o.repo.UserSessionUserIDsByAgentID(ctx, userAgentID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return o.command.HumansSignOut(ctx, userAgentID, userIDs)
|
||||
}
|
||||
|
||||
func (o *OPStorage) GetSigningKey(ctx context.Context, keyCh chan<- jose.SigningKey, errCh chan<- error, timer <-chan time.Time) {
|
||||
|
||||
@@ -2,6 +2,7 @@ package oidc
|
||||
|
||||
import (
|
||||
"context"
|
||||
"github.com/caos/zitadel/internal/v2/domain"
|
||||
"net"
|
||||
"time"
|
||||
|
||||
@@ -10,7 +11,6 @@ import (
|
||||
"golang.org/x/text/language"
|
||||
|
||||
http_utils "github.com/caos/zitadel/internal/api/http"
|
||||
"github.com/caos/zitadel/internal/auth_request/model"
|
||||
"github.com/caos/zitadel/internal/errors"
|
||||
)
|
||||
|
||||
@@ -22,7 +22,7 @@ const (
|
||||
)
|
||||
|
||||
type AuthRequest struct {
|
||||
*model.AuthRequest
|
||||
*domain.AuthRequest
|
||||
}
|
||||
|
||||
func (a *AuthRequest) GetID() string {
|
||||
@@ -92,26 +92,26 @@ func (a *AuthRequest) GetSubject() string {
|
||||
|
||||
func (a *AuthRequest) Done() bool {
|
||||
for _, step := range a.PossibleSteps {
|
||||
if step.Type() == model.NextStepRedirectToCallback {
|
||||
if step.Type() == domain.NextStepRedirectToCallback {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (a *AuthRequest) oidc() *model.AuthRequestOIDC {
|
||||
return a.Request.(*model.AuthRequestOIDC)
|
||||
func (a *AuthRequest) oidc() *domain.AuthRequestOIDC {
|
||||
return a.Request.(*domain.AuthRequestOIDC)
|
||||
}
|
||||
|
||||
func AuthRequestFromBusiness(authReq *model.AuthRequest) (_ op.AuthRequest, err error) {
|
||||
if _, ok := authReq.Request.(*model.AuthRequestOIDC); !ok {
|
||||
func AuthRequestFromBusiness(authReq *domain.AuthRequest) (_ op.AuthRequest, err error) {
|
||||
if _, ok := authReq.Request.(*domain.AuthRequestOIDC); !ok {
|
||||
return nil, errors.ThrowInvalidArgument(nil, "OIDC-Haz7A", "auth request is not of type oidc")
|
||||
}
|
||||
return &AuthRequest{authReq}, nil
|
||||
}
|
||||
|
||||
func CreateAuthRequestToBusiness(ctx context.Context, authReq *oidc.AuthRequest, userAgentID, userID string) *model.AuthRequest {
|
||||
return &model.AuthRequest{
|
||||
func CreateAuthRequestToBusiness(ctx context.Context, authReq *oidc.AuthRequest, userAgentID, userID string) *domain.AuthRequest {
|
||||
return &domain.AuthRequest{
|
||||
AgentID: userAgentID,
|
||||
BrowserInfo: ParseBrowserInfoFromContext(ctx),
|
||||
ApplicationID: authReq.ClientID,
|
||||
@@ -123,7 +123,7 @@ func CreateAuthRequestToBusiness(ctx context.Context, authReq *oidc.AuthRequest,
|
||||
LoginHint: authReq.LoginHint,
|
||||
MaxAuthAge: authReq.MaxAge,
|
||||
UserID: userID,
|
||||
Request: &model.AuthRequestOIDC{
|
||||
Request: &domain.AuthRequestOIDC{
|
||||
Scopes: authReq.Scopes,
|
||||
ResponseType: ResponseTypeToBusiness(authReq.ResponseType),
|
||||
Nonce: authReq.Nonce,
|
||||
@@ -132,10 +132,10 @@ func CreateAuthRequestToBusiness(ctx context.Context, authReq *oidc.AuthRequest,
|
||||
}
|
||||
}
|
||||
|
||||
func ParseBrowserInfoFromContext(ctx context.Context) *model.BrowserInfo {
|
||||
func ParseBrowserInfoFromContext(ctx context.Context) *domain.BrowserInfo {
|
||||
userAgent, acceptLang := HttpHeadersFromContext(ctx)
|
||||
ip := IpFromContext(ctx)
|
||||
return &model.BrowserInfo{RemoteIP: ip, UserAgent: userAgent, AcceptLanguage: acceptLang}
|
||||
return &domain.BrowserInfo{RemoteIP: ip, UserAgent: userAgent, AcceptLanguage: acceptLang}
|
||||
}
|
||||
|
||||
func HttpHeadersFromContext(ctx context.Context) (userAgent, acceptLang string) {
|
||||
@@ -160,22 +160,22 @@ func IpFromContext(ctx context.Context) net.IP {
|
||||
return net.ParseIP(ipString)
|
||||
}
|
||||
|
||||
func PromptToBusiness(prompt oidc.Prompt) model.Prompt {
|
||||
func PromptToBusiness(prompt oidc.Prompt) domain.Prompt {
|
||||
switch prompt {
|
||||
case oidc.PromptNone:
|
||||
return model.PromptNone
|
||||
return domain.PromptNone
|
||||
case oidc.PromptLogin:
|
||||
return model.PromptLogin
|
||||
return domain.PromptLogin
|
||||
case oidc.PromptConsent:
|
||||
return model.PromptConsent
|
||||
return domain.PromptConsent
|
||||
case oidc.PromptSelectAccount:
|
||||
return model.PromptSelectAccount
|
||||
return domain.PromptSelectAccount
|
||||
default:
|
||||
return model.PromptUnspecified
|
||||
return domain.PromptUnspecified
|
||||
}
|
||||
}
|
||||
|
||||
func ACRValuesToBusiness(values []string) []model.LevelOfAssurance {
|
||||
func ACRValuesToBusiness(values []string) []domain.LevelOfAssurance {
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -190,52 +190,52 @@ func UILocalesToBusiness(tags []language.Tag) []string {
|
||||
return locales
|
||||
}
|
||||
|
||||
func ResponseTypeToBusiness(responseType oidc.ResponseType) model.OIDCResponseType {
|
||||
func ResponseTypeToBusiness(responseType oidc.ResponseType) domain.OIDCResponseType {
|
||||
switch responseType {
|
||||
case oidc.ResponseTypeCode:
|
||||
return model.OIDCResponseTypeCode
|
||||
return domain.OIDCResponseTypeCode
|
||||
case oidc.ResponseTypeIDTokenOnly:
|
||||
return model.OIDCResponseTypeIdToken
|
||||
return domain.OIDCResponseTypeIDToken
|
||||
case oidc.ResponseTypeIDToken:
|
||||
return model.OIDCResponseTypeIdTokenToken
|
||||
return domain.OIDCResponseTypeIDTokenToken
|
||||
default:
|
||||
return model.OIDCResponseTypeCode
|
||||
return domain.OIDCResponseTypeCode
|
||||
}
|
||||
}
|
||||
|
||||
func ResponseTypeToOIDC(responseType model.OIDCResponseType) oidc.ResponseType {
|
||||
func ResponseTypeToOIDC(responseType domain.OIDCResponseType) oidc.ResponseType {
|
||||
switch responseType {
|
||||
case model.OIDCResponseTypeCode:
|
||||
case domain.OIDCResponseTypeCode:
|
||||
return oidc.ResponseTypeCode
|
||||
case model.OIDCResponseTypeIdTokenToken:
|
||||
case domain.OIDCResponseTypeIDTokenToken:
|
||||
return oidc.ResponseTypeIDToken
|
||||
case model.OIDCResponseTypeIdToken:
|
||||
case domain.OIDCResponseTypeIDToken:
|
||||
return oidc.ResponseTypeIDTokenOnly
|
||||
default:
|
||||
return oidc.ResponseTypeCode
|
||||
}
|
||||
}
|
||||
|
||||
func CodeChallengeToBusiness(challenge string, method oidc.CodeChallengeMethod) *model.OIDCCodeChallenge {
|
||||
func CodeChallengeToBusiness(challenge string, method oidc.CodeChallengeMethod) *domain.OIDCCodeChallenge {
|
||||
if challenge == "" {
|
||||
return nil
|
||||
}
|
||||
challengeMethod := model.CodeChallengeMethodPlain
|
||||
challengeMethod := domain.CodeChallengeMethodPlain
|
||||
if method == oidc.CodeChallengeMethodS256 {
|
||||
challengeMethod = model.CodeChallengeMethodS256
|
||||
challengeMethod = domain.CodeChallengeMethodS256
|
||||
}
|
||||
return &model.OIDCCodeChallenge{
|
||||
return &domain.OIDCCodeChallenge{
|
||||
Challenge: challenge,
|
||||
Method: challengeMethod,
|
||||
}
|
||||
}
|
||||
|
||||
func CodeChallengeToOIDC(challenge *model.OIDCCodeChallenge) *oidc.CodeChallenge {
|
||||
func CodeChallengeToOIDC(challenge *domain.OIDCCodeChallenge) *oidc.CodeChallenge {
|
||||
if challenge == nil {
|
||||
return nil
|
||||
}
|
||||
challengeMethod := oidc.CodeChallengeMethodPlain
|
||||
if challenge.Method == model.CodeChallengeMethodS256 {
|
||||
if challenge.Method == domain.CodeChallengeMethodS256 {
|
||||
challengeMethod = oidc.CodeChallengeMethodS256
|
||||
}
|
||||
return &oidc.CodeChallenge{
|
||||
@@ -244,12 +244,12 @@ func CodeChallengeToOIDC(challenge *model.OIDCCodeChallenge) *oidc.CodeChallenge
|
||||
}
|
||||
}
|
||||
|
||||
func AMRFromMFAType(mfaType model.MFAType) string {
|
||||
func AMRFromMFAType(mfaType domain.MFAType) string {
|
||||
switch mfaType {
|
||||
case model.MFATypeOTP:
|
||||
case domain.MFATypeOTP:
|
||||
return amrOTP
|
||||
case model.MFATypeU2F,
|
||||
model.MFATypeU2FUserVerification:
|
||||
case domain.MFATypeU2F,
|
||||
domain.MFATypeU2FUserVerification:
|
||||
return amrUserPresence
|
||||
default:
|
||||
return ""
|
||||
|
||||
@@ -3,6 +3,8 @@ package oidc
|
||||
import (
|
||||
"context"
|
||||
"github.com/caos/zitadel/internal/telemetry/metrics"
|
||||
"github.com/caos/zitadel/internal/v2/command"
|
||||
"github.com/caos/zitadel/internal/v2/query"
|
||||
"time"
|
||||
|
||||
"github.com/caos/logging"
|
||||
@@ -46,13 +48,15 @@ type Endpoint struct {
|
||||
|
||||
type OPStorage struct {
|
||||
repo repository.Repository
|
||||
command *command.CommandSide
|
||||
query *query.QuerySide
|
||||
defaultLoginURL string
|
||||
defaultAccessTokenLifetime time.Duration
|
||||
defaultIdTokenLifetime time.Duration
|
||||
signingKeyAlgorithm string
|
||||
}
|
||||
|
||||
func NewProvider(ctx context.Context, config OPHandlerConfig, repo repository.Repository, localDevMode bool) op.OpenIDProvider {
|
||||
func NewProvider(ctx context.Context, config OPHandlerConfig, command *command.CommandSide, query *query.QuerySide, repo repository.Repository, localDevMode bool) op.OpenIDProvider {
|
||||
cookieHandler, err := middleware.NewUserAgentHandler(config.UserAgentCookieConfig, id.SonyFlakeGenerator, localDevMode)
|
||||
logging.Log("OIDC-sd4fd").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Panic("cannot user agent handler")
|
||||
config.OPConfig.CodeMethodS256 = true
|
||||
@@ -60,7 +64,7 @@ func NewProvider(ctx context.Context, config OPHandlerConfig, repo repository.Re
|
||||
provider, err := op.NewOpenIDProvider(
|
||||
ctx,
|
||||
config.OPConfig,
|
||||
newStorage(config.StorageConfig, repo),
|
||||
newStorage(config.StorageConfig, command, query, repo),
|
||||
op.WithHttpInterceptors(
|
||||
middleware.MetricsHandler(metricTypes),
|
||||
middleware.TelemetryHandler(),
|
||||
@@ -79,9 +83,11 @@ func NewProvider(ctx context.Context, config OPHandlerConfig, repo repository.Re
|
||||
return provider
|
||||
}
|
||||
|
||||
func newStorage(config StorageConfig, repo repository.Repository) *OPStorage {
|
||||
func newStorage(config StorageConfig, command *command.CommandSide, query *query.QuerySide, repo repository.Repository) *OPStorage {
|
||||
return &OPStorage{
|
||||
repo: repo,
|
||||
command: command,
|
||||
query: query,
|
||||
defaultLoginURL: config.DefaultLoginURL,
|
||||
signingKeyAlgorithm: config.SigningKeyAlgorithm,
|
||||
defaultAccessTokenLifetime: config.DefaultAccessTokenLifetime.Duration,
|
||||
|
||||
Reference in New Issue
Block a user