TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-02-28 21:47:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: improve oidc issuer / endpoints (#3753)

Browse Source 
* fix: improve oidc issuer / endpoints

* docs: update endpoints
This commit is contained in:
Livio Spring 2022-06-07 10:04:51 +02:00 committed by GitHub
parent 3a1569bd94
commit 5e4b38d69b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 32 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
cmd/admin/start/start.go
View File

@ -151,7 +151,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
authZRepo, authZRepo,
queries, queries,
} }
verifier := internal_authz.Start(repo, http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)+oidc.HandlerPrefix, systemAPIKeys) verifier := internal_authz.Start(repo, http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure), systemAPIKeys)
apis := api.New(config.Port, router, queries, verifier, config.InternalAuthZ, config.ExternalSecure, config.HTTP2HostHeader, config.HTTP1HostHeader) apis := api.New(config.Port, router, queries, verifier, config.InternalAuthZ, config.ExternalSecure, config.HTTP2HostHeader, config.HTTP1HostHeader)
authRepo, err := auth_es.Start(config.Auth, config.SystemDefaults, commands, queries, dbClient, keys.OIDC, keys.User) authRepo, err := auth_es.Start(config.Auth, config.SystemDefaults, commands, queries, dbClient, keys.OIDC, keys.User)
@ -168,7 +168,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
if err := apis.RegisterServer(ctx, admin.CreateServer(config.Database.Database, commands, queries, adminRepo, config.ExternalSecure, keys.User)); err != nil { if err := apis.RegisterServer(ctx, admin.CreateServer(config.Database.Database, commands, queries, adminRepo, config.ExternalSecure, keys.User)); err != nil {
return err return err
} }
if err := apis.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, keys.User, config.ExternalSecure, oidc.HandlerPrefix, config.AuditLogRetention)); err != nil { if err := apis.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, keys.User, config.ExternalSecure, config.AuditLogRetention)); err != nil {
return err return err
} }
if err := apis.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, keys.User, config.ExternalSecure, config.AuditLogRetention)); err != nil { if err := apis.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, keys.User, config.ExternalSecure, config.AuditLogRetention)); err != nil {
@ -183,18 +183,17 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
return err return err
} }
oidcProvider, err := oidc.NewProvider(ctx, config.OIDC, login.DefaultLoggedOutPath, config.ExternalSecure, commands, queries, authRepo, keys.OIDC, keys.OIDCKey, eventstore, dbClient, userAgentInterceptor, instanceInterceptor.Handler)
if err != nil {
return fmt.Errorf("unable to start oidc provider: %w", err)
}
apis.RegisterHandler(oidc.HandlerPrefix, oidcProvider.HttpHandler())
openAPIHandler, err := openapi.Start() openAPIHandler, err := openapi.Start()
if err != nil { if err != nil {
return fmt.Errorf("unable to start openapi handler: %w", err) return fmt.Errorf("unable to start openapi handler: %w", err)
} }
apis.RegisterHandler(openapi.HandlerPrefix, openAPIHandler) apis.RegisterHandler(openapi.HandlerPrefix, openAPIHandler)
oidcProvider, err := oidc.NewProvider(ctx, config.OIDC, login.DefaultLoggedOutPath, config.ExternalSecure, commands, queries, authRepo, keys.OIDC, keys.OIDCKey, eventstore, dbClient, userAgentInterceptor, instanceInterceptor.Handler)
if err != nil {
return fmt.Errorf("unable to start oidc provider: %w", err)
}
c, err := console.Start(config.Console, config.ExternalSecure, oidcProvider.IssuerFromRequest, instanceInterceptor.Handler) c, err := console.Start(config.Console, config.ExternalSecure, oidcProvider.IssuerFromRequest, instanceInterceptor.Handler)
if err != nil { if err != nil {
return fmt.Errorf("unable to start console: %w", err) return fmt.Errorf("unable to start console: %w", err)
@ -207,6 +206,12 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
} }
apis.RegisterHandler(login.HandlerPrefix, l.Handler()) apis.RegisterHandler(login.HandlerPrefix, l.Handler())
//handle oidc at last, to be able to handle the root
//we might want to change that in the future
//esp. if we want to have multiple well-known endpoints
//it might make sense to handle the discovery endpoint and oauth and oidc prefixes individually
//but this will require a change in the oidc lib
apis.RegisterHandler("", oidcProvider.HttpHandler())
return nil return nil
} }

14
cmd/defaults.yaml
View File

@ -114,6 +114,20 @@ OIDC:
MaxAge: 12h MaxAge: 12h
SharedMaxAge: 168h #7d SharedMaxAge: 168h #7d
CustomEndpoints: CustomEndpoints:
Auth:
Path: /oauth/v2/authorize
Token:
Path: /oauth/v2/token
Introspection:
Path: /oauth/v2/introspect
Userinfo:
Path: /oidc/v1/userinfo
Revocation:
Path: /oauth/v2/revoke
EndSession:
Path: /oidc/v1/end_session
Keys:
Path: /oauth/v2/keys
Login: Login:
LanguageCookieName: zitadel.login.lang LanguageCookieName: zitadel.login.lang

6
docs/docs/apis/openidoauth/endpoints.md
View File

@ -387,14 +387,14 @@ If the authorization fails, an HTTP 401 with `invalid_client` will be returned.
## userinfo_endpoint ## userinfo_endpoint
{your_domain}/oauth/v2/userinfo {your_domain}/oidc/v1/userinfo
This endpoint will return information about the authorized user. This endpoint will return information about the authorized user.
Send the `access_token` of the **user** (not the client) as Bearer Token in the `authorization` header: Send the `access_token` of the **user** (not the client) as Bearer Token in the `authorization` header:
```BASH ```BASH
curl --request GET \ curl --request GET \
--url {your_domain}/oauth/v2/userinfo --url {your_domain}/oidc/v1/userinfo
--header 'Authorization: Bearer dsfdsjk29fm2as...' --header 'Authorization: Bearer dsfdsjk29fm2as...'
``` ```
@ -482,7 +482,7 @@ curl --request POST \
## end_session_endpoint ## end_session_endpoint
{your_domain}/oauth/v2/endsession {your_domain}/oidc/v1/endsession
> The end_session_endpoint is located with the login page, due to the need of accessing the same cookie domain > The end_session_endpoint is located with the login page, due to the need of accessing the same cookie domain

2
internal/api/grpc/management/information.go
View File

@ -15,7 +15,7 @@ func (s *Server) Healthz(context.Context, *mgmt_pb.HealthzRequest) (*mgmt_pb.Hea
} }
func (s *Server) GetOIDCInformation(ctx context.Context, _ *mgmt_pb.GetOIDCInformationRequest) (*mgmt_pb.GetOIDCInformationResponse, error) { func (s *Server) GetOIDCInformation(ctx context.Context, _ *mgmt_pb.GetOIDCInformationRequest) (*mgmt_pb.GetOIDCInformationResponse, error) {
issuer := http.BuildOrigin(authz.GetInstance(ctx).RequestedDomain(), s.externalSecure) + s.issuerPath issuer := http.BuildOrigin(authz.GetInstance(ctx).RequestedHost(), s.externalSecure)
return &mgmt_pb.GetOIDCInformationResponse{ return &mgmt_pb.GetOIDCInformationResponse{
Issuer: issuer, Issuer: issuer,
DiscoveryEndpoint: issuer + oidc.DiscoveryEndpoint, DiscoveryEndpoint: issuer + oidc.DiscoveryEndpoint,

3
internal/api/grpc/management/server.go
View File

@ -31,7 +31,6 @@ type Server struct {
passwordHashAlg crypto.HashAlgorithm passwordHashAlg crypto.HashAlgorithm
userCodeAlg crypto.EncryptionAlgorithm userCodeAlg crypto.EncryptionAlgorithm
externalSecure bool externalSecure bool
issuerPath string
auditLogRetention time.Duration auditLogRetention time.Duration
} }
@ -41,7 +40,6 @@ func CreateServer(
sd systemdefaults.SystemDefaults, sd systemdefaults.SystemDefaults,
userCodeAlg crypto.EncryptionAlgorithm, userCodeAlg crypto.EncryptionAlgorithm,
externalSecure bool, externalSecure bool,
issuerPath string,
auditLogRetention time.Duration, auditLogRetention time.Duration,
) *Server { ) *Server {
return &Server{ return &Server{
@ -52,7 +50,6 @@ func CreateServer(
passwordHashAlg: crypto.NewBCrypt(sd.SecretGenerators.PasswordSaltCost), passwordHashAlg: crypto.NewBCrypt(sd.SecretGenerators.PasswordSaltCost),
userCodeAlg: userCodeAlg, userCodeAlg: userCodeAlg,
externalSecure: externalSecure, externalSecure: externalSecure,
issuerPath: issuerPath,
auditLogRetention: auditLogRetention, auditLogRetention: auditLogRetention,
} }
} }

6
internal/api/oidc/op.go
View File

@ -26,10 +26,6 @@ import (
"github.com/zitadel/zitadel/internal/telemetry/metrics" "github.com/zitadel/zitadel/internal/telemetry/metrics"
) )
const (
HandlerPrefix = "/oauth/v2"
)
type Config struct { type Config struct {
CodeMethodS256 bool CodeMethodS256 bool
AuthMethodPost bool AuthMethodPost bool
@ -89,7 +85,7 @@ func NewProvider(ctx context.Context, config Config, defaultLogoutRedirectURI st
} }
provider, err := op.NewDynamicOpenIDProvider( provider, err := op.NewDynamicOpenIDProvider(
ctx, ctx,
HandlerPrefix, "",
opConfig, opConfig,
storage, storage,
options..., options...,