feat(6222): remove @ and project from OIDC client ID (#8178)

# Which Problems Are Solved The client ID for OIDC applications has an `@` in it, which is not allowed in some 3rd-party systems (such as AWS). # How the Problems Are Solved Per @fforootd and @hifabienne in #6222, remove the project suffix and the `@` from the client ID and just use the generated ID. # Additional Changes N/A # Additional Context - Closes #6222 --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 04:57:33 +00:00 · 2024-07-04 01:31:40 -07:00
parent 02c98f570b
commit 32b707cf46
13 changed files with 220 additions and 51 deletions
--- a/internal/query/oidc_client_test.go
+++ b/internal/query/oidc_client_test.go
@@ -21,6 +21,8 @@ var (
 	testdataOidcClientJWT string
 	//go:embed testdata/oidc_client_public.json
 	testdataOidcClientPublic string
+	//go:embed testdata/oidc_client_public_old_id.json
+	testdataOidcClientPublicOldId string
 	//go:embed testdata/oidc_client_secret.json
 	testdataOidcClientSecret string
 	//go:embed testdata/oidc_client_no_settings.json
@@ -64,7 +66,7 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 				InstanceID:               "230690539048009730",
 				AppID:                    "236647088211886082",
 				State:                    domain.AppStateActive,
-				ClientID:                 "236647088211951618@tests",
+				ClientID:                 "236647088211951618",
 				HashedSecret:             "",
 				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
 				ResponseTypes:            []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
@@ -92,6 +94,38 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 		{
 			name: "public client",
 			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientPublic}, "instanceID", "clientID", true),
+			want: &OIDCClient{
+				InstanceID:               "230690539048009730",
+				AppID:                    "236646457053020162",
+				State:                    domain.AppStateActive,
+				ClientID:                 "236646457053085698",
+				HashedSecret:             "",
+				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
+				ResponseTypes:            []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
+				GrantTypes:               []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode},
+				ApplicationType:          domain.OIDCApplicationTypeWeb,
+				AuthMethodType:           domain.OIDCAuthMethodTypeNone,
+				PostLogoutRedirectURIs:   nil,
+				IsDevMode:                true,
+				AccessTokenType:          domain.OIDCTokenTypeBearer,
+				AccessTokenRoleAssertion: false,
+				IDTokenRoleAssertion:     false,
+				IDTokenUserinfoAssertion: false,
+				ClockSkew:                0,
+				AdditionalOrigins:        nil,
+				PublicKeys:               nil,
+				ProjectID:                "236645808328409090",
+				ProjectRoleAssertion:     true,
+				ProjectRoleKeys:          []string{"role1", "role2"},
+				Settings: &OIDCSettings{
+					AccessTokenLifetime: 43200000000000,
+					IdTokenLifetime:     43200000000000,
+				},
+			},
+		},
+		{
+			name: "public client",
+			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientPublicOldId}, "instanceID", "clientID", true),
 			want: &OIDCClient{
 				InstanceID:               "230690539048009730",
 				AppID:                    "236646457053020162",
@@ -128,7 +162,7 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 				InstanceID:               "230690539048009730",
 				AppID:                    "236646858984783874",
 				State:                    domain.AppStateActive,
-				ClientID:                 "236646858984849410@tests",
+				ClientID:                 "236646858984849410",
 				HashedSecret:             "$2a$14$OzZ0XEZZEtD13py/EPba2evsS6WcKZ5orVMj9pWHEGEHmLu2h3PFq",
 				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
 				ResponseTypes:            []domain.OIDCResponseType{0},
@@ -160,7 +194,7 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 				InstanceID:   "239520764275982338",
 				AppID:        "239520764276441090",
 				State:        domain.AppStateActive,
-				ClientID:     "239520764779364354@zitadel",
+				ClientID:     "239520764779364354",
 				HashedSecret: "",
 				RedirectURIs: []string{
 					"http://test2-qucuh5.localhost:9000/ui/console/auth/callback",
--- a/internal/query/testdata/oidc_client_jwt.json
+++ b/internal/query/testdata/oidc_client_jwt.json
@@ -2,7 +2,7 @@
  "instance_id": "230690539048009730",
  "app_id": "236647088211886082",
  "state": 1,
-  "client_id": "236647088211951618@tests",
+  "client_id": "236647088211951618",
  "client_secret": null,
  "redirect_uris": ["http://localhost:9999/auth/callback"],
  "response_types": [0],
--- a/internal/query/testdata/oidc_client_no_settings.json
+++ b/internal/query/testdata/oidc_client_no_settings.json
@@ -2,7 +2,7 @@
  "instance_id": "239520764275982338",
  "app_id": "239520764276441090",
  "state": 1,
-  "client_id": "239520764779364354@zitadel",
+  "client_id": "239520764779364354",
  "client_secret": null,
  "redirect_uris": [
    "http://test2-qucuh5.localhost:9000/ui/console/auth/callback",
--- a/internal/query/testdata/oidc_client_public.json
+++ b/internal/query/testdata/oidc_client_public.json
@@ -2,7 +2,7 @@
  "instance_id": "230690539048009730",
  "app_id": "236646457053020162",
  "state": 1,
-  "client_id": "236646457053085698@tests",
+  "client_id": "236646457053085698",
  "client_secret": null,
  "redirect_uris": ["http://localhost:9999/auth/callback"],
  "response_types": [0],
--- a/internal/query/testdata/oidc_client_public_old_id.json
+++ b/internal/query/testdata/oidc_client_public_old_id.json
@@ -0,0 +1,28 @@
+{
+  "instance_id": "230690539048009730",
+  "app_id": "236646457053020162",
+  "state": 1,
+  "client_id": "236646457053085698@tests",
+  "client_secret": null,
+  "redirect_uris": ["http://localhost:9999/auth/callback"],
+  "response_types": [0],
+  "grant_types": [0],
+  "application_type": 0,
+  "auth_method_type": 2,
+  "post_logout_redirect_uris": null,
+  "is_dev_mode": true,
+  "access_token_type": 0,
+  "access_token_role_assertion": false,
+  "id_token_role_assertion": false,
+  "id_token_userinfo_assertion": false,
+  "clock_skew": 0,
+  "additional_origins": null,
+  "project_id": "236645808328409090",
+  "project_role_assertion": true,
+  "project_role_keys": ["role1", "role2"],
+  "public_keys": null,
+  "settings": {
+    "access_token_lifetime": 43200000000000,
+    "id_token_lifetime": 43200000000000
+  }
+}
--- a/internal/query/testdata/oidc_client_secret.json
+++ b/internal/query/testdata/oidc_client_secret.json
@@ -2,7 +2,7 @@
  "instance_id": "230690539048009730",
  "app_id": "236646858984783874",
  "state": 1,
-  "client_id": "236646858984849410@tests",
+  "client_id": "236646858984849410",
  "client_secret": "$2a$14$OzZ0XEZZEtD13py/EPba2evsS6WcKZ5orVMj9pWHEGEHmLu2h3PFq",
  "redirect_uris": ["http://localhost:9999/auth/callback"],
  "response_types": [0],