feat(api): add oidc and jwt provider template (#5290)

Adds possibility to manage OIDC and JWT template based providers
2025-08-11 19:07:30 +00:00 · 2023-02-27 16:32:18 +01:00
parent 9396e8b2f5
commit 80003939ad
29 changed files with 4338 additions and 295 deletions
--- a/internal/repository/idp/google.go
+++ b/internal/repository/idp/google.go
@@ -14,7 +14,7 @@ type GoogleIDPAddedEvent struct {

 	ID           string              `json:"id"`
 	Name         string              `json:"name,omitempty"`
-	ClientID     string              `json:"clientID"`
+	ClientID     string              `json:"clientId"`
 	ClientSecret *crypto.CryptoValue `json:"clientSecret"`
 	Scopes       []string            `json:"scopes,omitempty"`
 	Options
@@ -66,7 +66,7 @@ type GoogleIDPChangedEvent struct {

 	ID           string              `json:"id"`
 	Name         *string             `json:"name,omitempty"`
-	ClientID     *string             `json:"clientID,omitempty"`
+	ClientID     *string             `json:"clientId,omitempty"`
 	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
 	Scopes       []string            `json:"scopes,omitempty"`
 	OptionChanges
--- a/internal/repository/idp/idp.go
+++ b/internal/repository/idp/idp.go
@@ -6,7 +6,6 @@ import (
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/eventstore/repository"
-	"github.com/zitadel/zitadel/internal/repository/idpconfig"
 )

 type Options struct {
@@ -63,19 +62,15 @@ type RemovedEvent struct {
 	eventstore.BaseEvent `json:"-"`

 	ID string `json:"id"`
-
-	name string
 }

 func NewRemovedEvent(
 	base *eventstore.BaseEvent,
 	id string,
-	name string,
 ) *RemovedEvent {
 	return &RemovedEvent{
 		BaseEvent: *base,
 		ID:        id,
-		name:      name,
 	}
 }

@@ -84,10 +79,7 @@ func (e *RemovedEvent) Data() interface{} {
 }

 func (e *RemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
-	if e.name == "" {
-		return nil
-	}
-	return []*eventstore.EventUniqueConstraint{idpconfig.NewRemoveIDPConfigNameUniqueConstraint(e.name, e.Aggregate().ResourceOwner)}
+	return nil
 }

 func RemovedEventMapper(event *repository.Event) (eventstore.Event, error) {
--- a/internal/repository/idp/jwt.go
+++ b/internal/repository/idp/jwt.go
@@ -0,0 +1,153 @@
+package idp
+
+import (
+	"encoding/json"
+
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/repository"
+)
+
+type JWTIDPAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID           string `json:"id"`
+	Name         string `json:"name,omitempty"`
+	Issuer       string `json:"issuer,omitempty"`
+	JWTEndpoint  string `json:"jwtEndpoint,omitempty"`
+	KeysEndpoint string `json:"keysEndpoint,omitempty"`
+	HeaderName   string `json:"headerName,omitempty"`
+	Options
+}
+
+func NewJWTIDPAddedEvent(
+	base *eventstore.BaseEvent,
+	id,
+	name,
+	issuer,
+	jwtEndpoint,
+	keysEndpoint,
+	headerName string,
+	options Options,
+) *JWTIDPAddedEvent {
+	return &JWTIDPAddedEvent{
+		BaseEvent:    *base,
+		ID:           id,
+		Name:         name,
+		Issuer:       issuer,
+		JWTEndpoint:  jwtEndpoint,
+		KeysEndpoint: keysEndpoint,
+		HeaderName:   headerName,
+		Options:      options,
+	}
+}
+
+func (e *JWTIDPAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *JWTIDPAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func JWTIDPAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &JWTIDPAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IDP-Et1dq", "unable to unmarshal event")
+	}
+
+	return e, nil
+}
+
+type JWTIDPChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID           string  `json:"id"`
+	Name         *string `json:"name,omitempty"`
+	Issuer       *string `json:"issuer,omitempty"`
+	JWTEndpoint  *string `json:"jwtEndpoint,omitempty"`
+	KeysEndpoint *string `json:"keysEndpoint,omitempty"`
+	HeaderName   *string `json:"headerName,omitempty"`
+	OptionChanges
+}
+
+func NewJWTIDPChangedEvent(
+	base *eventstore.BaseEvent,
+	id string,
+	changes []JWTIDPChanges,
+) (*JWTIDPChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "IDP-BH3dl", "Errors.NoChangesFound")
+	}
+	changedEvent := &JWTIDPChangedEvent{
+		BaseEvent: *base,
+		ID:        id,
+	}
+	for _, change := range changes {
+		change(changedEvent)
+	}
+	return changedEvent, nil
+}
+
+type JWTIDPChanges func(*JWTIDPChangedEvent)
+
+func ChangeJWTName(name string) func(*JWTIDPChangedEvent) {
+	return func(e *JWTIDPChangedEvent) {
+		e.Name = &name
+	}
+}
+
+func ChangeJWTIssuer(issuer string) func(*JWTIDPChangedEvent) {
+	return func(e *JWTIDPChangedEvent) {
+		e.Issuer = &issuer
+	}
+}
+
+func ChangeJWTEndpoint(jwtEndpoint string) func(*JWTIDPChangedEvent) {
+	return func(e *JWTIDPChangedEvent) {
+		e.JWTEndpoint = &jwtEndpoint
+	}
+}
+
+func ChangeJWTKeysEndpoint(keysEndpoint string) func(*JWTIDPChangedEvent) {
+	return func(e *JWTIDPChangedEvent) {
+		e.KeysEndpoint = &keysEndpoint
+	}
+}
+
+func ChangeJWTHeaderName(headerName string) func(*JWTIDPChangedEvent) {
+	return func(e *JWTIDPChangedEvent) {
+		e.HeaderName = &headerName
+	}
+}
+
+func ChangeJWTOptions(options OptionChanges) func(*JWTIDPChangedEvent) {
+	return func(e *JWTIDPChangedEvent) {
+		e.OptionChanges = options
+	}
+}
+
+func (e *JWTIDPChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *JWTIDPChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func JWTIDPChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &JWTIDPChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IDP-D3gjzh", "unable to unmarshal event")
+	}
+
+	return e, nil
+}
--- a/internal/repository/idp/oauth.go
+++ b/internal/repository/idp/oauth.go
@@ -14,8 +14,8 @@ type OAuthIDPAddedEvent struct {

 	ID                    string              `json:"id"`
 	Name                  string              `json:"name,omitempty"`
-	ClientID              string              `json:"client_id,omitempty"`
-	ClientSecret          *crypto.CryptoValue `json:"client_secret,omitempty"`
+	ClientID              string              `json:"clientId,omitempty"`
+	ClientSecret          *crypto.CryptoValue `json:"clientSecret,omitempty"`
 	AuthorizationEndpoint string              `json:"authorizationEndpoint,omitempty"`
 	TokenEndpoint         string              `json:"tokenEndpoint,omitempty"`
 	UserEndpoint          string              `json:"userEndpoint,omitempty"`
@@ -75,8 +75,8 @@ type OAuthIDPChangedEvent struct {

 	ID                    string              `json:"id"`
 	Name                  *string             `json:"name,omitempty"`
-	ClientID              *string             `json:"client_id,omitempty"`
-	ClientSecret          *crypto.CryptoValue `json:"client_secret,omitempty"`
+	ClientID              *string             `json:"clientId,omitempty"`
+	ClientSecret          *crypto.CryptoValue `json:"clientSecret,omitempty"`
 	AuthorizationEndpoint *string             `json:"authorizationEndpoint,omitempty"`
 	TokenEndpoint         *string             `json:"tokenEndpoint,omitempty"`
 	UserEndpoint          *string             `json:"userEndpoint,omitempty"`
--- a/internal/repository/idp/oidc.go
+++ b/internal/repository/idp/oidc.go
@@ -0,0 +1,154 @@
+package idp
+
+import (
+	"encoding/json"
+
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/eventstore/repository"
+)
+
+type OIDCIDPAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID           string              `json:"id"`
+	Name         string              `json:"name"`
+	Issuer       string              `json:"issuer"`
+	ClientID     string              `json:"clientId"`
+	ClientSecret *crypto.CryptoValue `json:"clientSecret"`
+	Scopes       []string            `json:"scopes,omitempty"`
+	Options
+}
+
+func NewOIDCIDPAddedEvent(
+	base *eventstore.BaseEvent,
+	id,
+	name,
+	issuer,
+	clientID string,
+	clientSecret *crypto.CryptoValue,
+	scopes []string,
+	options Options,
+) *OIDCIDPAddedEvent {
+	return &OIDCIDPAddedEvent{
+		BaseEvent:    *base,
+		ID:           id,
+		Name:         name,
+		Issuer:       issuer,
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		Scopes:       scopes,
+		Options:      options,
+	}
+}
+
+func (e *OIDCIDPAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCIDPAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func OIDCIDPAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &OIDCIDPAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IDP-Et1dq", "unable to unmarshal event")
+	}
+
+	return e, nil
+}
+
+type OIDCIDPChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ID           string              `json:"id"`
+	Name         *string             `json:"name,omitempty"`
+	Issuer       *string             `json:"issuer,omitempty"`
+	ClientID     *string             `json:"clientId,omitempty"`
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	Scopes       []string            `json:"scopes,omitempty"`
+	OptionChanges
+}
+
+func NewOIDCIDPChangedEvent(
+	base *eventstore.BaseEvent,
+	id string,
+	changes []OIDCIDPChanges,
+) (*OIDCIDPChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "IDP-BH3dl", "Errors.NoChangesFound")
+	}
+	changedEvent := &OIDCIDPChangedEvent{
+		BaseEvent: *base,
+		ID:        id,
+	}
+	for _, change := range changes {
+		change(changedEvent)
+	}
+	return changedEvent, nil
+}
+
+type OIDCIDPChanges func(*OIDCIDPChangedEvent)
+
+func ChangeOIDCName(name string) func(*OIDCIDPChangedEvent) {
+	return func(e *OIDCIDPChangedEvent) {
+		e.Name = &name
+	}
+}
+
+func ChangeOIDCIssuer(issuer string) func(*OIDCIDPChangedEvent) {
+	return func(e *OIDCIDPChangedEvent) {
+		e.Issuer = &issuer
+	}
+}
+
+func ChangeOIDCClientID(clientID string) func(*OIDCIDPChangedEvent) {
+	return func(e *OIDCIDPChangedEvent) {
+		e.ClientID = &clientID
+	}
+}
+
+func ChangeOIDCClientSecret(clientSecret *crypto.CryptoValue) func(*OIDCIDPChangedEvent) {
+	return func(e *OIDCIDPChangedEvent) {
+		e.ClientSecret = clientSecret
+	}
+}
+
+func ChangeOIDCOptions(options OptionChanges) func(*OIDCIDPChangedEvent) {
+	return func(e *OIDCIDPChangedEvent) {
+		e.OptionChanges = options
+	}
+}
+
+func ChangeOIDCScopes(scopes []string) func(*OIDCIDPChangedEvent) {
+	return func(e *OIDCIDPChangedEvent) {
+		e.Scopes = scopes
+	}
+}
+
+func (e *OIDCIDPChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCIDPChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func OIDCIDPChangedEventMapper(event *repository.Event) (eventstore.Event, error) {
+	e := &OIDCIDPChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IDP-D3gjzh", "unable to unmarshal event")
+	}
+
+	return e, nil
+}