feat(oidc): optimize the userinfo endpoint (#7706)

* feat(oidc): optimize the userinfo endpoint * store project ID in the access token * query for projectID if not in token * add scope based tests * Revert "store project ID in the access token" This reverts commit 5f0262f239. * query project role assertion * use project role assertion setting to return roles * workaround eventual consistency and handle PAT * do not append empty project id
2025-08-11 19:07:30 +00:00 · 2024-04-09 16:15:35 +03:00
parent c8e0b30e17
commit 6a51c4b0f5
25 changed files with 528 additions and 159 deletions
--- a/internal/query/introspection_test.go
+++ b/internal/query/introspection_test.go
@@ -50,17 +50,18 @@ func TestQueries_GetIntrospectionClientByID(t *testing.T) {
 				getKeys:  false,
 			},
 			mock: mockQuery(expQuery,
-				[]string{"app_id", "client_id", "client_secret", "app_type", "project_id", "resource_owner", "public_keys"},
-				[]driver.Value{"appID", "clientID", "secret", "oidc", "projectID", "orgID", nil},
+				[]string{"app_id", "client_id", "client_secret", "app_type", "project_id", "resource_owner", "project_role_assertion", "public_keys"},
+				[]driver.Value{"appID", "clientID", "secret", "oidc", "projectID", "orgID", true, nil},
 				"instanceID", "clientID", false),
 			want: &IntrospectionClient{
-				AppID:         "appID",
-				ClientID:      "clientID",
-				HashedSecret:  "secret",
-				AppType:       AppTypeOIDC,
-				ProjectID:     "projectID",
-				ResourceOwner: "orgID",
-				PublicKeys:    nil,
+				AppID:                "appID",
+				ClientID:             "clientID",
+				HashedSecret:         "secret",
+				AppType:              AppTypeOIDC,
+				ProjectID:            "projectID",
+				ResourceOwner:        "orgID",
+				ProjectRoleAssertion: true,
+				PublicKeys:           nil,
 			},
 		},
 		{
@@ -70,17 +71,18 @@ func TestQueries_GetIntrospectionClientByID(t *testing.T) {
 				getKeys:  true,
 			},
 			mock: mockQuery(expQuery,
-				[]string{"app_id", "client_id", "client_secret", "app_type", "project_id", "resource_owner", "public_keys"},
-				[]driver.Value{"appID", "clientID", "", "oidc", "projectID", "orgID", encPubkeys},
+				[]string{"app_id", "client_id", "client_secret", "app_type", "project_id", "resource_owner", "project_role_assertion", "public_keys"},
+				[]driver.Value{"appID", "clientID", "", "oidc", "projectID", "orgID", true, encPubkeys},
 				"instanceID", "clientID", true),
 			want: &IntrospectionClient{
-				AppID:         "appID",
-				ClientID:      "clientID",
-				HashedSecret:  "",
-				AppType:       AppTypeOIDC,
-				ProjectID:     "projectID",
-				ResourceOwner: "orgID",
-				PublicKeys:    pubkeys,
+				AppID:                "appID",
+				ClientID:             "clientID",
+				HashedSecret:         "",
+				AppType:              AppTypeOIDC,
+				ProjectID:            "projectID",
+				ResourceOwner:        "orgID",
+				ProjectRoleAssertion: true,
+				PublicKeys:           pubkeys,
 			},
 		},
 	}