feat: Identity brokering (#730)

* feat: add/ remove external idps * feat: external idp add /remove * fix: auth proto * fix: handle login * feat: loginpolicy on authrequest * feat: idp providers on login * feat: link external idp * fix: check login policy on check username * feat: add mapping fields for idp config * feat: use user org id if existing * feat: use user org id if existing * feat: register external user * feat: register external user * feat: user linking * feat: user linking * feat: design external login * feat: design external login * fix: tests * fix: regenerate login design * feat: next step test linking process * feat: next step test linking process * feat: cascade remove external idps on user * fix: tests * fix: tests * feat: external idp requsts on users * fix: generate protos * feat: login styles * feat: login styles * fix: link user * fix: register user on specifig org * fix: user linking * fix: register external, linking auto * fix: remove unnecessary request from proto * fix: tests * fix: new oidc package * fix: migration version * fix: policy permissions * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/handler/renderer.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/handler/renderer.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: pr requests * Update internal/ui/login/handler/link_users_handler.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: pr requests * fix: pr requests * fix: pr requests * fix: login name size * fix: profile image light * fix: colors * fix: pr requests * fix: remove redirect uri validator * fix: remove redirect uri validator Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-11 21:37:32 +00:00 · 2020-09-18 13:26:28 +02:00
parent 1d542a0c57
commit 320ddfa46d
141 changed files with 30057 additions and 12535 deletions
--- a/internal/auth_request/model/auth_request.go
+++ b/internal/auth_request/model/auth_request.go
@@ -1,6 +1,9 @@
 package model

 import (
+	"github.com/caos/zitadel/internal/iam/model"
+	"golang.org/x/text/language"
+	"strings"
 	"time"

 	"github.com/caos/zitadel/internal/errors"
@@ -22,17 +25,36 @@ type AuthRequest struct {
 	MaxAuthAge    uint32
 	Request       Request

-	levelOfAssurance LevelOfAssurance
-	UserID           string
-	LoginName        string
-	DisplayName      string
-	UserOrgID        string
-	PossibleSteps    []NextStep
-	PasswordVerified bool
-	MfasVerified     []MfaType
-	Audience         []string
-	AuthTime         time.Time
-	Code             string
+	levelOfAssurance    LevelOfAssurance
+	UserID              string
+	LoginName           string
+	DisplayName         string
+	UserOrgID           string
+	SelectedIDPConfigID string
+	LinkingUsers        []*ExternalUser
+	PossibleSteps       []NextStep
+	PasswordVerified    bool
+	MfasVerified        []MfaType
+	Audience            []string
+	AuthTime            time.Time
+	Code                string
+	LoginPolicy         *model.LoginPolicyView
+	AllowedExternalIDPs []*model.IDPProviderView
+}
+
+type ExternalUser struct {
+	IDPConfigID       string
+	ExternalUserID    string
+	DisplayName       string
+	PreferredUsername string
+	FirstName         string
+	LastName          string
+	NickName          string
+	Email             string
+	IsEmailVerified   bool
+	PreferredLanguage language.Tag
+	Phone             string
+	IsPhoneVerified   bool
 }

 type Prompt int32
@@ -103,3 +125,15 @@ func (a *AuthRequest) SetUserInfo(userID, loginName, displayName, userOrgID stri
 	a.DisplayName = displayName
 	a.UserOrgID = userOrgID
 }
+
+func (a *AuthRequest) GetScopeOrgID() string {
+	switch request := a.Request.(type) {
+	case *AuthRequestOIDC:
+		for _, scope := range request.Scopes {
+			if strings.HasPrefix(scope, OrgIDScope) {
+				strings.TrimPrefix(scope, OrgIDScope)
+			}
+		}
+	}
+	return ""
+}
--- a/internal/auth_request/model/next_step.go
+++ b/internal/auth_request/model/next_step.go
@@ -19,6 +19,8 @@ const (
 	NextStepMfaVerify
 	NextStepRedirectToCallback
 	NextStepChangeUsername
+	NextStepLinkUsers
+	NextStepExternalNotFoundOption
 )

 type UserSessionState int32
@@ -53,6 +55,12 @@ type InitUserStep struct {
 	PasswordSet bool
 }

+type ExternalNotFoundOptionStep struct{}
+
+func (s *ExternalNotFoundOptionStep) Type() NextStepType {
+	return NextStepExternalNotFoundOption
+}
+
 func (s *InitUserStep) Type() NextStepType {
 	return NextStepInitUser
 }
@@ -104,6 +112,12 @@ func (s *MfaVerificationStep) Type() NextStepType {
 	return NextStepMfaVerify
 }

+type LinkUsersStep struct{}
+
+func (s *LinkUsersStep) Type() NextStepType {
+	return NextStepLinkUsers
+}
+
 type RedirectToCallbackStep struct{}

 func (s *RedirectToCallbackStep) Type() NextStepType {
--- a/internal/auth_request/model/request.go
+++ b/internal/auth_request/model/request.go
@@ -18,6 +18,10 @@ const (
 	AuthRequestTypeSAML
 )

+const (
+	OrgIDScope = "urn:zitadel:organisation:id:"
+)
+
 type AuthRequestOIDC struct {
 	Scopes        []string
 	ResponseType  OIDCResponseType