fix: JWT Profile (#748)

* fix: correct env var for tracing type

* fix: local env tracing

* fix: key in detail as string

* fix: implement storage

* fix: machine key by id
fix: store public key as bytes instead of crypto value

* update oidc pkg

* dont check origins for service account tokens

* fix: scopes

* fix: dependencies

* fix: dependencies

* fix: remove unused code

* fix: variable naming

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

internal/api/oidc/auth_request.go

@@ -59,15 +59,14 @@ func (o *OPStorage) DeleteAuthRequest(ctx context.Context, id string) error {
 	return o.repo.DeleteAuthRequest(ctx, id)
 }
 
-func (o *OPStorage) CreateToken(ctx context.Context, authReq op.AuthRequest) (string, time.Time, error) {
-	app, err := o.repo.ApplicationByClientID(ctx, authReq.GetClientID())
-	if err != nil {
-		return "", time.Time{}, err
+func (o *OPStorage) CreateToken(ctx context.Context, req op.TokenRequest) (string, time.Time, error) {
+	var userAgentID, applicationID string
+	authReq, ok := req.(*AuthRequest)
+	if ok {
+		userAgentID = authReq.AgentID
+		applicationID = authReq.ApplicationID
 	}
-	grants, err := o.repo.UserGrantsByProjectAndUserID(app.ProjectID, authReq.GetSubject())
-	scopes := append(authReq.GetScopes(), grantsToScopes(grants)...)
-	req, _ := authReq.(*AuthRequest)
-	resp, err := o.repo.CreateToken(ctx, req.AgentID, req.ApplicationID, req.UserID, req.Audience, scopes, o.defaultAccessTokenLifetime) //PLANNED: lifetime from client
+	resp, err := o.repo.CreateToken(ctx, userAgentID, applicationID, req.GetSubject(), req.GetAudience(), req.GetScopes(), o.defaultAccessTokenLifetime) //PLANNED: lifetime from client
 	if err != nil {
 		return "", time.Time{}, err
 	}

internal/api/oidc/client.go

@@ -2,14 +2,16 @@ package oidc
 
 import (
 	"context"
-	"github.com/caos/logging"
+
 	"golang.org/x/text/language"
+	"gopkg.in/square/go-jose.v2"
 
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/op"
 
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
 	proj_model "github.com/caos/zitadel/internal/project/model"
 	user_model "github.com/caos/zitadel/internal/user/model"
@@ -36,6 +38,25 @@ func (o *OPStorage) GetClientByClientID(ctx context.Context, id string) (op.Clie
 	return ClientFromBusiness(client, o.defaultLoginURL, o.defaultAccessTokenLifetime, o.defaultIdTokenLifetime)
 }
 
+func (o *OPStorage) GetKeyByIDAndUserID(ctx context.Context, keyID, userID string) (*jose.JSONWebKey, error) {
+	key, err := o.repo.MachineKeyByID(ctx, keyID)
+	if err != nil {
+		return nil, err
+	}
+	if key.UserID != userID {
+		return nil, errors.ThrowPermissionDenied(nil, "OIDC-24jm3", "key from different user")
+	}
+	publicKey, err := crypto.BytesToPublicKey(key.PublicKey)
+	if err != nil {
+		return nil, err
+	}
+	return &jose.JSONWebKey{
+		KeyID: key.ID,
+		Use:   "sig",
+		Key:   publicKey,
+	}, nil
+}
+
 func (o *OPStorage) AuthorizeClientIDSecret(ctx context.Context, id string, secret string) error {
 	ctx = authz.SetCtxData(ctx, authz.CtxData{
 		UserID: oidcCtx,
@@ -49,12 +70,14 @@ func (o *OPStorage) GetUserinfoFromToken(ctx context.Context, tokenID, origin st
 	if err != nil {
 		return nil, err
 	}
-	app, err := o.repo.ApplicationByClientID(ctx, token.ApplicationID)
-	if err != nil {
-		return nil, err
-	}
-	if origin != "" && !http.IsOriginAllowed(app.OriginAllowList, origin) {
-		return nil, errors.ThrowPermissionDenied(nil, "OIDC-da1f3", "origin is not allowed")
+	if token.ApplicationID != "" {
+		app, err := o.repo.ApplicationByClientID(ctx, token.ApplicationID)
+		if err != nil {
+			return nil, err
+		}
+		if origin != "" && !http.IsOriginAllowed(app.OriginAllowList, origin) {
+			return nil, errors.ThrowPermissionDenied(nil, "OIDC-da1f3", "origin is not allowed")
+		}
 	}
 	return o.GetUserinfoFromScopes(ctx, token.UserID, token.Scopes)
 }
@@ -70,22 +93,34 @@ func (o *OPStorage) GetUserinfoFromScopes(ctx context.Context, userID string, sc
 		case scopeOpenID:
 			userInfo.Subject = user.ID
 		case scopeEmail:
+			if user.HumanView == nil {
+				continue
+			}
 			userInfo.Email = user.Email
 			userInfo.EmailVerified = user.IsEmailVerified
 		case scopeProfile:
-			userInfo.Name = user.DisplayName
-			userInfo.FamilyName = user.LastName
-			userInfo.GivenName = user.FirstName
-			userInfo.Nickname = user.NickName
 			userInfo.PreferredUsername = user.PreferredLoginName
 			userInfo.UpdatedAt = user.ChangeDate
-			userInfo.Gender = oidc.Gender(getGender(user.Gender))
-			userInfo.Locale, err = language.Parse(user.PreferredLanguage)
-			logging.Log("OIDC-4ks9F").OnError(err).Debug("unable to parse locale")
+			if user.HumanView != nil {
+				userInfo.Name = user.DisplayName
+				userInfo.FamilyName = user.LastName
+				userInfo.GivenName = user.FirstName
+				userInfo.Nickname = user.NickName
+				userInfo.Gender = oidc.Gender(getGender(user.Gender))
+				userInfo.Locale, err = language.Parse(user.PreferredLanguage)
+			} else {
+				userInfo.Name = user.MachineView.Name
+			}
 		case scopePhone:
+			if user.HumanView == nil {
+				continue
+			}
 			userInfo.PhoneNumber = user.Phone
 			userInfo.PhoneNumberVerified = user.IsPhoneVerified
 		case scopeAddress:
+			if user.HumanView == nil {
+				continue
+			}
 			userInfo.Address.StreetAddress = user.StreetAddress
 			userInfo.Address.Locality = user.Locality
 			userInfo.Address.Region = user.Region

internal/api/oidc/op.go

@@ -54,7 +54,7 @@ func NewProvider(ctx context.Context, config OPHandlerConfig, repo repository.Re
 	cookieHandler, err := middleware.NewUserAgentHandler(config.UserAgentCookieConfig, id.SonyFlakeGenerator, localDevMode)
 	logging.Log("OIDC-sd4fd").OnError(err).Panic("cannot user agent handler")
 	config.OPConfig.CodeMethodS256 = true
-	provider, err := op.NewDefaultOP(
+	provider, err := op.NewOpenIDProvider(
 		ctx,
 		config.OPConfig,
 		newStorage(config.StorageConfig, repo),