feat(API): support V2 token and session token usage (#6180)

This PR adds support for userinfo and introspection of V2 tokens. Further V2 access tokens and session tokens can be used for authentication on the ZITADEL API (like the current access tokens).
2025-08-11 21:27:42 +00:00 · 2023-07-14 13:16:16 +02:00
parent 4589ddad4a
commit 80961125a7
38 changed files with 1309 additions and 181 deletions
--- a/internal/api/grpc/session/v2/session.go
+++ b/internal/api/grpc/session/v2/session.go
@@ -156,10 +156,11 @@ func userFactorToPb(factor query.SessionUserFactor) *session.UserFactor {
 		return nil
 	}
 	return &session.UserFactor{
-		VerifiedAt:  timestamppb.New(factor.UserCheckedAt),
-		Id:          factor.UserID,
-		LoginName:   factor.LoginName,
-		DisplayName: factor.DisplayName,
+		VerifiedAt:     timestamppb.New(factor.UserCheckedAt),
+		Id:             factor.UserID,
+		LoginName:      factor.LoginName,
+		DisplayName:    factor.DisplayName,
+		OrganisationId: factor.ResourceOwner,
 	}
 }

--- a/internal/api/grpc/session/v2/session_integration_test.go
+++ b/internal/api/grpc/session/v2/session_integration_test.go
@@ -4,12 +4,15 @@ package session_test

 import (
 	"context"
+	"fmt"
 	"os"
 	"testing"
 	"time"

+	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/metadata"

 	"github.com/zitadel/zitadel/internal/integration"
 	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
@@ -35,6 +38,7 @@ func TestMain(m *testing.M) {

 		CTX, _ = Tester.WithAuthorization(ctx, integration.OrgOwner), errCtx
 		User = Tester.CreateHumanUser(CTX)
+		Tester.SetUserPassword(CTX, User.GetUserId(), integration.UserPassword)
 		Tester.RegisterUserPasskey(CTX, User.GetUserId())
 		return m.Run()
 	}())
@@ -377,3 +381,51 @@ func TestServer_SetSession_flow(t *testing.T) {
 		verifyCurrentSession(t, createResp.GetSessionId(), resp.GetSessionToken(), resp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
 	})
 }
+
+func Test_ZITADEL_API_missing_authentication(t *testing.T) {
+	// create new, empty session
+	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{Domain: Tester.Config.ExternalDomain})
+	require.NoError(t, err)
+
+	ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", createResp.GetSessionToken()))
+	sessionResp, err := Tester.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: createResp.GetSessionId()})
+	require.Error(t, err)
+	require.Nil(t, sessionResp)
+}
+
+func Test_ZITADEL_API_missing_mfa(t *testing.T) {
+	id, token, _, _ := Tester.CreatePasswordSession(t, CTX, User.GetUserId(), integration.UserPassword)
+
+	ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", token))
+	sessionResp, err := Tester.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
+	require.Error(t, err)
+	require.Nil(t, sessionResp)
+}
+
+func Test_ZITADEL_API_success(t *testing.T) {
+	id, token, _, _ := Tester.CreatePasskeySession(t, CTX, User.GetUserId())
+
+	ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", token))
+	sessionResp, err := Tester.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
+	require.NoError(t, err)
+	require.NotNil(t, id, sessionResp.GetSession().GetFactors().GetPasskey().GetVerifiedAt().AsTime())
+}
+
+func Test_ZITADEL_API_session_not_found(t *testing.T) {
+	id, token, _, _ := Tester.CreatePasskeySession(t, CTX, User.GetUserId())
+
+	// test session token works
+	ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", token))
+	_, err := Tester.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
+	require.NoError(t, err)
+
+	//terminate the session and test it does not work anymore
+	_, err = Tester.Client.SessionV2.DeleteSession(CTX, &session.DeleteSessionRequest{
+		SessionId:    id,
+		SessionToken: gu.Ptr(token),
+	})
+	require.NoError(t, err)
+	ctx = metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("Bearer %s", token))
+	_, err = Tester.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
+	require.Error(t, err)
+}
--- a/internal/api/grpc/session/v2/session_test.go
+++ b/internal/api/grpc/session/v2/session_test.go
@@ -46,6 +46,7 @@ func Test_sessionsToPb(t *testing.T) {
 				UserCheckedAt: past,
 				LoginName:     "donald",
 				DisplayName:   "donald duck",
+				ResourceOwner: "org1",
 			},
 			Metadata: map[string][]byte{"hello": []byte("world")},
 		},
@@ -62,6 +63,7 @@ func Test_sessionsToPb(t *testing.T) {
 				UserCheckedAt: past,
 				LoginName:     "donald",
 				DisplayName:   "donald duck",
+				ResourceOwner: "org1",
 			},
 			PasswordFactor: query.SessionPasswordFactor{
 				PasswordCheckedAt: past,
@@ -81,6 +83,7 @@ func Test_sessionsToPb(t *testing.T) {
 				UserCheckedAt: past,
 				LoginName:     "donald",
 				DisplayName:   "donald duck",
+				ResourceOwner: "org1",
 			},
 			PasskeyFactor: query.SessionPasskeyFactor{
 				PasskeyCheckedAt: past,
@@ -105,10 +108,11 @@ func Test_sessionsToPb(t *testing.T) {
 			Sequence:     123,
 			Factors: &session.Factors{
 				User: &session.UserFactor{
-					VerifiedAt:  timestamppb.New(past),
-					Id:          "345",
-					LoginName:   "donald",
-					DisplayName: "donald duck",
+					VerifiedAt:     timestamppb.New(past),
+					Id:             "345",
+					LoginName:      "donald",
+					DisplayName:    "donald duck",
+					OrganisationId: "org1",
 				},
 			},
 			Metadata: map[string][]byte{"hello": []byte("world")},
@@ -120,10 +124,11 @@ func Test_sessionsToPb(t *testing.T) {
 			Sequence:     123,
 			Factors: &session.Factors{
 				User: &session.UserFactor{
-					VerifiedAt:  timestamppb.New(past),
-					Id:          "345",
-					LoginName:   "donald",
-					DisplayName: "donald duck",
+					VerifiedAt:     timestamppb.New(past),
+					Id:             "345",
+					LoginName:      "donald",
+					DisplayName:    "donald duck",
+					OrganisationId: "org1",
 				},
 				Password: &session.PasswordFactor{
 					VerifiedAt: timestamppb.New(past),
@@ -138,10 +143,11 @@ func Test_sessionsToPb(t *testing.T) {
 			Sequence:     123,
 			Factors: &session.Factors{
 				User: &session.UserFactor{
-					VerifiedAt:  timestamppb.New(past),
-					Id:          "345",
-					LoginName:   "donald",
-					DisplayName: "donald duck",
+					VerifiedAt:     timestamppb.New(past),
+					Id:             "345",
+					LoginName:      "donald",
+					DisplayName:    "donald duck",
+					OrganisationId: "org1",
 				},
 				Passkey: &session.PasskeyFactor{
 					VerifiedAt: timestamppb.New(past),