feat(api): add generic oauth provider template (#5260)

adds functionality to manage templates based OIDC IDPs

internal/repository/idp/idp.go

@@ -47,8 +47,8 @@ func (o *Options) ReduceChanges(changes OptionChanges) {
 	if changes.IsLinkingAllowed != nil {
 		o.IsLinkingAllowed = *changes.IsLinkingAllowed
 	}
-	if changes.IsAutoUpdate != nil {
-		o.IsAutoUpdate = *changes.IsAutoUpdate
+	if changes.IsAutoCreation != nil {
+		o.IsAutoCreation = *changes.IsAutoCreation
 	}
 	if changes.IsAutoUpdate != nil {
 		o.IsAutoUpdate = *changes.IsAutoUpdate

internal/repository/idp/oauth.go

@@ -0,0 +1,173 @@
+package idp
+
+import (
+	"encoding/json"
+
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/repository"
+)
+
+type OAuthIDPAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID                    string              `json:"id"`
+	Name                  string              `json:"name,omitempty"`
+	ClientID              string              `json:"client_id,omitempty"`
+	ClientSecret          *crypto.CryptoValue `json:"client_secret,omitempty"`
+	AuthorizationEndpoint string              `json:"authorizationEndpoint,omitempty"`
+	TokenEndpoint         string              `json:"tokenEndpoint,omitempty"`
+	UserEndpoint          string              `json:"userEndpoint,omitempty"`
+	Scopes                []string            `json:"scopes,omitempty"`
+	Options
+}
+
+func NewOAuthIDPAddedEvent(
+	base *eventstore.BaseEvent,
+	id,
+	name,
+	clientID string,
+	clientSecret *crypto.CryptoValue,
+	authorizationEndpoint,
+	tokenEndpoint,
+	userEndpoint string,
+	scopes []string,
+	options Options,
+) *OAuthIDPAddedEvent {
+	return &OAuthIDPAddedEvent{
+		BaseEvent:             *base,
+		ID:                    id,
+		Name:                  name,
+		ClientID:              clientID,
+		ClientSecret:          clientSecret,
+		AuthorizationEndpoint: authorizationEndpoint,
+		TokenEndpoint:         tokenEndpoint,
+		UserEndpoint:          userEndpoint,
+		Scopes:                scopes,
+		Options:               options,
+	}
+}
+
+func (e *OAuthIDPAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OAuthIDPAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func OAuthIDPAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &OAuthIDPAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IDP-Et1dq", "unable to unmarshal event")
+	}
+
+	return e, nil
+}
+
+type OAuthIDPChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID                    string              `json:"id"`
+	Name                  *string             `json:"name,omitempty"`
+	ClientID              *string             `json:"client_id,omitempty"`
+	ClientSecret          *crypto.CryptoValue `json:"client_secret,omitempty"`
+	AuthorizationEndpoint *string             `json:"authorizationEndpoint,omitempty"`
+	TokenEndpoint         *string             `json:"tokenEndpoint,omitempty"`
+	UserEndpoint          *string             `json:"userEndpoint,omitempty"`
+	Scopes                []string            `json:"scopes,omitempty"`
+	OptionChanges
+}
+
+func NewOAuthIDPChangedEvent(
+	base *eventstore.BaseEvent,
+	id string,
+	changes []OAuthIDPChanges,
+) (*OAuthIDPChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "IDP-BH3dl", "Errors.NoChangesFound")
+	}
+	changedEvent := &OAuthIDPChangedEvent{
+		BaseEvent: *base,
+		ID:        id,
+	}
+	for _, change := range changes {
+		change(changedEvent)
+	}
+	return changedEvent, nil
+}
+
+type OAuthIDPChanges func(*OAuthIDPChangedEvent)
+
+func ChangeOAuthName(name string) func(*OAuthIDPChangedEvent) {
+	return func(e *OAuthIDPChangedEvent) {
+		e.Name = &name
+	}
+}
+func ChangeOAuthClientID(clientID string) func(*OAuthIDPChangedEvent) {
+	return func(e *OAuthIDPChangedEvent) {
+		e.ClientID = &clientID
+	}
+}
+
+func ChangeOAuthClientSecret(clientSecret *crypto.CryptoValue) func(*OAuthIDPChangedEvent) {
+	return func(e *OAuthIDPChangedEvent) {
+		e.ClientSecret = clientSecret
+	}
+}
+
+func ChangeOAuthOptions(options OptionChanges) func(*OAuthIDPChangedEvent) {
+	return func(e *OAuthIDPChangedEvent) {
+		e.OptionChanges = options
+	}
+}
+
+func ChangeOAuthAuthorizationEndpoint(authorizationEndpoint string) func(*OAuthIDPChangedEvent) {
+	return func(e *OAuthIDPChangedEvent) {
+		e.AuthorizationEndpoint = &authorizationEndpoint
+	}
+}
+
+func ChangeOAuthTokenEndpoint(tokenEndpoint string) func(*OAuthIDPChangedEvent) {
+	return func(e *OAuthIDPChangedEvent) {
+		e.TokenEndpoint = &tokenEndpoint
+	}
+}
+
+func ChangeOAuthUserEndpoint(userEndpoint string) func(*OAuthIDPChangedEvent) {
+	return func(e *OAuthIDPChangedEvent) {
+		e.UserEndpoint = &userEndpoint
+	}
+}
+
+func ChangeOAuthScopes(scopes []string) func(*OAuthIDPChangedEvent) {
+	return func(e *OAuthIDPChangedEvent) {
+		e.Scopes = scopes
+	}
+}
+
+func (e *OAuthIDPChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OAuthIDPChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func OAuthIDPChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &OAuthIDPChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IDP-SAf3gw", "unable to unmarshal event")
+	}
+
+	return e, nil
+}

internal/repository/instance/eventstore.go

@@ -70,6 +70,8 @@ func RegisterEventMappers(es *eventstore.Eventstore) {
 		RegisterFilterEventMapper(AggregateType, IDPOIDCConfigChangedEventType, IDPOIDCConfigChangedEventMapper).
 		RegisterFilterEventMapper(AggregateType, IDPJWTConfigAddedEventType, IDPJWTConfigAddedEventMapper).
 		RegisterFilterEventMapper(AggregateType, IDPJWTConfigChangedEventType, IDPJWTConfigChangedEventMapper).
+		RegisterFilterEventMapper(AggregateType, OAuthIDPAddedEventType, OAuthIDPAddedEventMapper).
+		RegisterFilterEventMapper(AggregateType, OAuthIDPChangedEventType, OAuthIDPChangedEventMapper).
 		RegisterFilterEventMapper(AggregateType, GoogleIDPAddedEventType, GoogleIDPAddedEventMapper).
 		RegisterFilterEventMapper(AggregateType, GoogleIDPChangedEventType, GoogleIDPChangedEventMapper).
 		RegisterFilterEventMapper(AggregateType, LDAPIDPAddedEventType, LDAPIDPAddedEventMapper).

internal/repository/instance/idp.go

@@ -10,6 +10,8 @@ import (
 )
 
 const (
+	OAuthIDPAddedEventType    eventstore.EventType = "instance.idp.oauth.added"
+	OAuthIDPChangedEventType  eventstore.EventType = "instance.idp.oauth.changed"
 	GoogleIDPAddedEventType   eventstore.EventType = "instance.idp.google.added"
 	GoogleIDPChangedEventType eventstore.EventType = "instance.idp.google.changed"
 	LDAPIDPAddedEventType     eventstore.EventType = "instance.idp.ldap.added"
@@ -17,6 +19,88 @@ const (
 	IDPRemovedEventType       eventstore.EventType = "instance.idp.removed"
 )
 
+type OAuthIDPAddedEvent struct {
+	idp.OAuthIDPAddedEvent
+}
+
+func NewOAuthIDPAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id,
+	name,
+	clientID string,
+	clientSecret *crypto.CryptoValue,
+	authorizationEndpoint,
+	tokenEndpoint,
+	userEndpoint string,
+	scopes []string,
+	options idp.Options,
+) *OAuthIDPAddedEvent {
+
+	return &OAuthIDPAddedEvent{
+		OAuthIDPAddedEvent: *idp.NewOAuthIDPAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				OAuthIDPAddedEventType,
+			),
+			id,
+			name,
+			clientID,
+			clientSecret,
+			authorizationEndpoint,
+			tokenEndpoint,
+			userEndpoint,
+			scopes,
+			options,
+		),
+	}
+}
+
+func OAuthIDPAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idp.OAuthIDPAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &OAuthIDPAddedEvent{OAuthIDPAddedEvent: *e.(*idp.OAuthIDPAddedEvent)}, nil
+}
+
+type OAuthIDPChangedEvent struct {
+	idp.OAuthIDPChangedEvent
+}
+
+func NewOAuthIDPChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+	changes []idp.OAuthIDPChanges,
+) (*OAuthIDPChangedEvent, error) {
+
+	changedEvent, err := idp.NewOAuthIDPChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OAuthIDPChangedEventType,
+		),
+		id,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &OAuthIDPChangedEvent{OAuthIDPChangedEvent: *changedEvent}, nil
+}
+
+func OAuthIDPChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idp.OAuthIDPChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &OAuthIDPChangedEvent{OAuthIDPChangedEvent: *e.(*idp.OAuthIDPChangedEvent)}, nil
+}
+
 type GoogleIDPAddedEvent struct {
 	idp.GoogleIDPAddedEvent
 }

internal/repository/org/eventstore.go

@@ -78,6 +78,8 @@ func RegisterEventMappers(es *eventstore.Eventstore) {
 		RegisterFilterEventMapper(AggregateType, IDPOIDCConfigChangedEventType, IDPOIDCConfigChangedEventMapper).
 		RegisterFilterEventMapper(AggregateType, IDPJWTConfigAddedEventType, IDPJWTConfigAddedEventMapper).
 		RegisterFilterEventMapper(AggregateType, IDPJWTConfigChangedEventType, IDPJWTConfigChangedEventMapper).
+		RegisterFilterEventMapper(AggregateType, OAuthIDPAddedEventType, OAuthIDPAddedEventMapper).
+		RegisterFilterEventMapper(AggregateType, OAuthIDPChangedEventType, OAuthIDPChangedEventMapper).
 		RegisterFilterEventMapper(AggregateType, GoogleIDPAddedEventType, GoogleIDPAddedEventMapper).
 		RegisterFilterEventMapper(AggregateType, GoogleIDPChangedEventType, GoogleIDPChangedEventMapper).
 		RegisterFilterEventMapper(AggregateType, LDAPIDPAddedEventType, LDAPIDPAddedEventMapper).

internal/repository/org/idp.go

@@ -10,6 +10,8 @@ import (
 )
 
 const (
+	OAuthIDPAddedEventType    eventstore.EventType = "org.idp.oauth.added"
+	OAuthIDPChangedEventType  eventstore.EventType = "org.idp.oauth.changed"
 	GoogleIDPAddedEventType   eventstore.EventType = "org.idp.google.added"
 	GoogleIDPChangedEventType eventstore.EventType = "org.idp.google.changed"
 	LDAPIDPAddedEventType     eventstore.EventType = "org.idp.ldap.added"
@@ -17,6 +19,88 @@ const (
 	IDPRemovedEventType       eventstore.EventType = "org.idp.removed"
 )
 
+type OAuthIDPAddedEvent struct {
+	idp.OAuthIDPAddedEvent
+}
+
+func NewOAuthIDPAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id,
+	name,
+	clientID string,
+	clientSecret *crypto.CryptoValue,
+	authorizationEndpoint,
+	tokenEndpoint,
+	userEndpoint string,
+	scopes []string,
+	options idp.Options,
+) *OAuthIDPAddedEvent {
+
+	return &OAuthIDPAddedEvent{
+		OAuthIDPAddedEvent: *idp.NewOAuthIDPAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				OAuthIDPAddedEventType,
+			),
+			id,
+			name,
+			clientID,
+			clientSecret,
+			authorizationEndpoint,
+			tokenEndpoint,
+			userEndpoint,
+			scopes,
+			options,
+		),
+	}
+}
+
+func OAuthIDPAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idp.OAuthIDPAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &OAuthIDPAddedEvent{OAuthIDPAddedEvent: *e.(*idp.OAuthIDPAddedEvent)}, nil
+}
+
+type OAuthIDPChangedEvent struct {
+	idp.OAuthIDPChangedEvent
+}
+
+func NewOAuthIDPChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	id string,
+	changes []idp.OAuthIDPChanges,
+) (*OAuthIDPChangedEvent, error) {
+
+	changedEvent, err := idp.NewOAuthIDPChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OAuthIDPChangedEventType,
+		),
+		id,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &OAuthIDPChangedEvent{OAuthIDPChangedEvent: *changedEvent}, nil
+}
+
+func OAuthIDPChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e, err := idp.OAuthIDPChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &OAuthIDPChangedEvent{OAuthIDPChangedEvent: *e.(*idp.OAuthIDPChangedEvent)}, nil
+}
+
 type GoogleIDPAddedEvent struct {
 	idp.GoogleIDPAddedEvent
 }