feat(API): support V2 token and session token usage (#6180)

This PR adds support for userinfo and introspection of V2 tokens. Further V2 access tokens and session tokens can be used for authentication on the ZITADEL API (like the current access tokens).
2025-08-11 19:07:30 +00:00 · 2023-07-14 13:16:16 +02:00
parent 4589ddad4a
commit 80961125a7
38 changed files with 1309 additions and 181 deletions
--- a/internal/command/oidc_session.go
+++ b/internal/command/oidc_session.go
@@ -14,6 +14,7 @@ import (
 	"github.com/zitadel/zitadel/internal/id"
 	"github.com/zitadel/zitadel/internal/repository/authrequest"
 	"github.com/zitadel/zitadel/internal/repository/oidcsession"
+	"github.com/zitadel/zitadel/internal/repository/user"
 )

 // AddOIDCSessionAccessToken creates a new OIDC Session, creates an access token and returns its id and expiration.
@@ -101,6 +102,10 @@ func (c *Commands) newOIDCSessionAddEvents(ctx context.Context, authRequestID st
 	if sessionWriteModel.State != domain.SessionStateActive {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "OIDCS-sjkl3", "Errors.Session.Terminated")
 	}
+	resourceOwner, err := c.getResourceOwnerOfSessionUser(ctx, sessionWriteModel.UserID, sessionWriteModel.InstanceID)
+	if err != nil {
+		return nil, err
+	}
 	accessTokenLifetime, refreshTokenLifeTime, refreshTokenIdleLifetime, err := c.tokenTokenLifetimes(ctx)
 	if err != nil {
 		return nil, err
@@ -114,7 +119,7 @@ func (c *Commands) newOIDCSessionAddEvents(ctx context.Context, authRequestID st
 		eventstore:               c.eventstore,
 		idGenerator:              c.idGenerator,
 		encryptionAlg:            c.keyAlgorithm,
-		oidcSessionWriteModel:    NewOIDCSessionWriteModel(sessionID, authz.GetInstance(ctx).InstanceID()),
+		oidcSessionWriteModel:    NewOIDCSessionWriteModel(sessionID, resourceOwner),
 		sessionWriteModel:        sessionWriteModel,
 		authRequestWriteModel:    authRequestWriteModel,
 		accessTokenLifetime:      accessTokenLifetime,
@@ -123,6 +128,22 @@ func (c *Commands) newOIDCSessionAddEvents(ctx context.Context, authRequestID st
 	}, nil
 }

+func (c *Commands) getResourceOwnerOfSessionUser(ctx context.Context, userID, instanceID string) (string, error) {
+	events, err := c.eventstore.Filter(ctx, eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		InstanceID(instanceID).
+		AllowTimeTravel().
+		OrderAsc().
+		Limit(1).
+		AddQuery().
+		AggregateTypes(user.AggregateType).
+		AggregateIDs(userID).
+		Builder())
+	if err != nil || len(events) != 1 {
+		return "", caos_errs.ThrowInternal(err, "OIDCS-sferh", "Errors.Internal")
+	}
+	return events[0].Aggregate().ResourceOwner, nil
+}
+
 func (c *Commands) decryptRefreshToken(refreshToken string) (refreshTokenID string, err error) {
 	decoded, err := base64.RawURLEncoding.DecodeString(refreshToken)
 	if err != nil {
@@ -144,7 +165,7 @@ func (c *Commands) newOIDCSessionUpdateEvents(ctx context.Context, oidcSessionID
 	if err != nil {
 		return nil, err
 	}
-	sessionWriteModel := NewOIDCSessionWriteModel(oidcSessionID, authz.GetInstance(ctx).InstanceID())
+	sessionWriteModel := NewOIDCSessionWriteModel(oidcSessionID, "")
 	if err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel); err != nil {
 		return nil, err
 	}