TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:07:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(oidc): allow additional audience based on scope in device auth (#7685)

Browse Source 
feat(oidc): allow additional audience based on scope
This commit is contained in:
Tim Möhlmann
2024-04-03 09:06:21 +03:00
committed by GitHub
parent 2d25244c77
commit 5b3946b67e
10 changed files with 61 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
internal/api/oidc/device_auth.go
View File

@@ -11,7 +11,6 @@ import (
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/internal/telemetry/tracing"
"github.com/zitadel/zitadel/internal/zerrors"
)
const (
@@ -68,21 +67,20 @@ func (c *DeviceAuthorizationConfig) toOPConfig() op.DeviceAuthorizationConfig {
// StoreDeviceAuthorization creates a new Device Authorization request.
// Implements the op.DeviceAuthorizationStorage interface.
func (o *OPStorage) StoreDeviceAuthorization(ctx context.Context, clientID, deviceCode, userCode string, expires time.Time, scopes []string) (err error) {
func (o *OPStorage) StoreDeviceAuthorization(ctx context.Context, clientID, deviceCode, userCode string, expires time.Time, scope []string) (err error) {
const logMsg = "store device authorization"
logger := logging.WithFields("client_id", clientID, "device_code", deviceCode, "user_code", userCode, "expires", expires, "scopes", scopes)
logger := logging.WithFields("client_id", clientID, "device_code", deviceCode, "user_code", userCode, "expires", expires, "scope", scope)
ctx, span := tracing.NewSpan(ctx)
defer func() {
logger.OnError(err).Error(logMsg)
span.EndWithError(err)
}()
scopes, err = o.assertProjectRoleScopes(ctx, clientID, scopes)
scope, audience, err := o.createAuthRequestScopeAndAudience(ctx, clientID, scope)
if err != nil {
return zerrors.ThrowPreconditionFailed(err, "OIDC-She4t", "Errors.Internal")
return err
}
details, err := o.command.AddDeviceAuth(ctx, clientID, deviceCode, userCode, expires, scopes)
details, err := o.command.AddDeviceAuth(ctx, clientID, deviceCode, userCode, expires, scope, audience)
if err == nil {
logger.SetFields("details", details).Debug(logMsg)
}
@@ -94,6 +92,7 @@ func newDeviceAuthorizationState(d *query.DeviceAuth) *op.DeviceAuthorizationSta
return &op.DeviceAuthorizationState{
ClientID: d.ClientID,
Scopes: d.Scopes,
Audience: d.Audience,
Expires: d.Expires,
Done: d.State.Done(),
Denied: d.State.Denied(),