feat(oidc): optimize the userinfo endpoint (#7706)

* feat(oidc): optimize the userinfo endpoint * store project ID in the access token * query for projectID if not in token * add scope based tests * Revert "store project ID in the access token" This reverts commit 5f0262f239. * query project role assertion * use project role assertion setting to return roles * workaround eventual consistency and handle PAT * do not append empty project id
2025-08-11 21:17:32 +00:00 · 2024-04-09 16:15:35 +03:00
parent c8e0b30e17
commit 6a51c4b0f5
25 changed files with 528 additions and 159 deletions
--- a/internal/query/introspection.go
+++ b/internal/query/introspection.go
@@ -25,6 +25,8 @@ var introspectionTriggerHandlers = sync.OnceValue(func() []*handler.Handler {
 	)
 })

+// TriggerIntrospectionProjections triggers all projections
+// relevant to introspection queries concurrently.
 func TriggerIntrospectionProjections(ctx context.Context) {
 	triggerBatch(ctx, introspectionTriggerHandlers()...)
 }
@@ -37,16 +39,17 @@ const (
 )

 type IntrospectionClient struct {
-	AppID         string
-	ClientID      string
-	HashedSecret  string
-	AppType       AppType
-	ProjectID     string
-	ResourceOwner string
-	PublicKeys    database.Map[[]byte]
+	AppID                string
+	ClientID             string
+	HashedSecret         string
+	AppType              AppType
+	ProjectID            string
+	ResourceOwner        string
+	ProjectRoleAssertion bool
+	PublicKeys           database.Map[[]byte]
 }

-//go:embed embed/introspection_client_by_id.sql
+//go:embed introspection_client_by_id.sql
 var introspectionClientByIDQuery string

 func (q *Queries) GetIntrospectionClientByID(ctx context.Context, clientID string, getKeys bool) (_ *IntrospectionClient, err error) {
@@ -66,6 +69,7 @@ func (q *Queries) GetIntrospectionClientByID(ctx context.Context, clientID strin
 			&client.AppType,
 			&client.ProjectID,
 			&client.ResourceOwner,
+			&client.ProjectRoleAssertion,
 			&client.PublicKeys,
 		)
 	},