fix: improve oidc issuer / endpoints (#3753)

* fix: improve oidc issuer / endpoints * docs: update endpoints
2025-02-28 17:07:24 +00:00 · 2022-06-07 10:04:51 +02:00 · 2022-06-07 10:04:51 +02:00 · 5e4b38d69b
commit 5e4b38d69b
parent 3a1569bd94
6 changed files with 32 additions and 20 deletions
--- a/cmd/admin/start/start.go
+++ b/cmd/admin/start/start.go
@ -151,7 +151,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 		authZRepo,
 		queries,
 	}
-	verifier := internal_authz.Start(repo, http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)+oidc.HandlerPrefix, systemAPIKeys)
+	verifier := internal_authz.Start(repo, http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure), systemAPIKeys)

 	apis := api.New(config.Port, router, queries, verifier, config.InternalAuthZ, config.ExternalSecure, config.HTTP2HostHeader, config.HTTP1HostHeader)
 	authRepo, err := auth_es.Start(config.Auth, config.SystemDefaults, commands, queries, dbClient, keys.OIDC, keys.User)
@ -168,7 +168,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	if err := apis.RegisterServer(ctx, admin.CreateServer(config.Database.Database, commands, queries, adminRepo, config.ExternalSecure, keys.User)); err != nil {
 		return err
 	}
-	if err := apis.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, keys.User, config.ExternalSecure, oidc.HandlerPrefix, config.AuditLogRetention)); err != nil {
+	if err := apis.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, keys.User, config.ExternalSecure, config.AuditLogRetention)); err != nil {
 		return err
 	}
 	if err := apis.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, keys.User, config.ExternalSecure, config.AuditLogRetention)); err != nil {
@ -183,18 +183,17 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 		return err
 	}

-	oidcProvider, err := oidc.NewProvider(ctx, config.OIDC, login.DefaultLoggedOutPath, config.ExternalSecure, commands, queries, authRepo, keys.OIDC, keys.OIDCKey, eventstore, dbClient, userAgentInterceptor, instanceInterceptor.Handler)
-	if err != nil {
-		return fmt.Errorf("unable to start oidc provider: %w", err)
-	}
-	apis.RegisterHandler(oidc.HandlerPrefix, oidcProvider.HttpHandler())
-
 	openAPIHandler, err := openapi.Start()
 	if err != nil {
 		return fmt.Errorf("unable to start openapi handler: %w", err)
 	}
 	apis.RegisterHandler(openapi.HandlerPrefix, openAPIHandler)

+	oidcProvider, err := oidc.NewProvider(ctx, config.OIDC, login.DefaultLoggedOutPath, config.ExternalSecure, commands, queries, authRepo, keys.OIDC, keys.OIDCKey, eventstore, dbClient, userAgentInterceptor, instanceInterceptor.Handler)
+	if err != nil {
+		return fmt.Errorf("unable to start oidc provider: %w", err)
+	}
+
 	c, err := console.Start(config.Console, config.ExternalSecure, oidcProvider.IssuerFromRequest, instanceInterceptor.Handler)
 	if err != nil {
 		return fmt.Errorf("unable to start console: %w", err)
@ -207,6 +206,12 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	}
 	apis.RegisterHandler(login.HandlerPrefix, l.Handler())

+	//handle oidc at last, to be able to handle the root
+	//we might want to change that in the future
+	//esp. if we want to have multiple well-known endpoints
+	//it might make sense to handle the discovery endpoint and oauth and oidc prefixes individually
+	//but this will require a change in the oidc lib
+	apis.RegisterHandler("", oidcProvider.HttpHandler())
 	return nil
 }

--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@ -114,6 +114,20 @@ OIDC:
    MaxAge: 12h
    SharedMaxAge: 168h #7d
  CustomEndpoints:
+    Auth:
+      Path: /oauth/v2/authorize
+    Token:
+      Path: /oauth/v2/token
+    Introspection:
+      Path: /oauth/v2/introspect
+    Userinfo:
+      Path: /oidc/v1/userinfo
+    Revocation:
+      Path: /oauth/v2/revoke
+    EndSession:
+      Path: /oidc/v1/end_session
+    Keys:
+      Path: /oauth/v2/keys

 Login:
  LanguageCookieName: zitadel.login.lang
--- a/docs/docs/apis/openidoauth/endpoints.md
+++ b/docs/docs/apis/openidoauth/endpoints.md
@ -387,14 +387,14 @@ If the authorization fails, an HTTP 401 with `invalid_client` will be returned.

 ## userinfo_endpoint

-{your_domain}/oauth/v2/userinfo
+{your_domain}/oidc/v1/userinfo

 This endpoint will return information about the authorized user.

 Send the `access_token` of the **user** (not the client) as Bearer Token in the `authorization` header:
 ```BASH
 curl --request GET \
-  --url {your_domain}/oauth/v2/userinfo
+  --url {your_domain}/oidc/v1/userinfo
  --header 'Authorization: Bearer dsfdsjk29fm2as...'
 ```

@ -482,7 +482,7 @@ curl --request POST \

 ## end_session_endpoint

-{your_domain}/oauth/v2/endsession
+{your_domain}/oidc/v1/endsession

 > The end_session_endpoint is located with the login page, due to the need of accessing the same cookie domain

--- a/internal/api/grpc/management/information.go
+++ b/internal/api/grpc/management/information.go
@ -15,7 +15,7 @@ func (s *Server) Healthz(context.Context, *mgmt_pb.HealthzRequest) (*mgmt_pb.Hea
 }

 func (s *Server) GetOIDCInformation(ctx context.Context, _ *mgmt_pb.GetOIDCInformationRequest) (*mgmt_pb.GetOIDCInformationResponse, error) {
-	issuer := http.BuildOrigin(authz.GetInstance(ctx).RequestedDomain(), s.externalSecure) + s.issuerPath
+	issuer := http.BuildOrigin(authz.GetInstance(ctx).RequestedHost(), s.externalSecure)
 	return &mgmt_pb.GetOIDCInformationResponse{
 		Issuer:            issuer,
 		DiscoveryEndpoint: issuer + oidc.DiscoveryEndpoint,
--- a/internal/api/grpc/management/server.go
+++ b/internal/api/grpc/management/server.go
@ -31,7 +31,6 @@ type Server struct {
 	passwordHashAlg   crypto.HashAlgorithm
 	userCodeAlg       crypto.EncryptionAlgorithm
 	externalSecure    bool
-	issuerPath        string
 	auditLogRetention time.Duration
 }

@ -41,7 +40,6 @@ func CreateServer(
 	sd systemdefaults.SystemDefaults,
 	userCodeAlg crypto.EncryptionAlgorithm,
 	externalSecure bool,
-	issuerPath string,
 	auditLogRetention time.Duration,
 ) *Server {
 	return &Server{
@ -52,7 +50,6 @@ func CreateServer(
 		passwordHashAlg:   crypto.NewBCrypt(sd.SecretGenerators.PasswordSaltCost),
 		userCodeAlg:       userCodeAlg,
 		externalSecure:    externalSecure,
-		issuerPath:        issuerPath,
 		auditLogRetention: auditLogRetention,
 	}
 }
--- a/internal/api/oidc/op.go
+++ b/internal/api/oidc/op.go
@ -26,10 +26,6 @@ import (
 	"github.com/zitadel/zitadel/internal/telemetry/metrics"
 )

-const (
-	HandlerPrefix = "/oauth/v2"
-)
-
 type Config struct {
 	CodeMethodS256                    bool
 	AuthMethodPost                    bool
@ -89,7 +85,7 @@ func NewProvider(ctx context.Context, config Config, defaultLogoutRedirectURI st
 	}
 	provider, err := op.NewDynamicOpenIDProvider(
 		ctx,
-		HandlerPrefix,
+		"",
 		opConfig,
 		storage,
 		options...,