From 85eb2eda0bd17a4bae837dc0ec016c2f20d82db2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20M=C3=B6hlmann?= Date: Thu, 21 Dec 2023 15:57:33 +0200 Subject: [PATCH] fix(oidc): refresh token for device authorization (#7104) fix(oidc); refresh token for device authorization Due to a mis-alignment of OIDC interface and concrete implementations in zitadel, requesting a refresh token for device authorization would fail. This change adds the possibility to to use the op.IDTokenRequest directly. Also, the UserAgentID is dropped as required parameter, as devices do not have a user agent. --- internal/api/oidc/auth_request.go | 19 +++++++++++-------- internal/command/user_human_refresh_token.go | 2 +- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/internal/api/oidc/auth_request.go b/internal/api/oidc/auth_request.go index fa99f544a5..062b0e3351 100644 --- a/internal/api/oidc/auth_request.go +++ b/internal/api/oidc/auth_request.go @@ -200,6 +200,8 @@ func (o *OPStorage) CreateAccessToken(ctx context.Context, req op.TokenRequest) // trigger activity log for authentication for user activity.Trigger(ctx, "", authReq.CurrentAuthRequest.UserID, activity.OIDCAccessToken) return o.command.AddOIDCSessionAccessToken(setContextUserSystem(ctx), authReq.GetID()) + case op.IDTokenRequest: + applicationID = authReq.GetClientID() } accessTokenLifetime, _, _, _, err := o.getOIDCSettings(ctx) @@ -263,15 +265,16 @@ func (o *OPStorage) CreateAccessAndRefreshTokens(ctx context.Context, req op.Tok } func getInfoFromRequest(req op.TokenRequest) (string, string, string, time.Time, []string) { - authReq, ok := req.(*AuthRequest) - if ok { - return authReq.AgentID, authReq.ApplicationID, authReq.UserOrgID, authReq.AuthTime, authReq.GetAMR() + switch r := req.(type) { + case *AuthRequest: + return r.AgentID, r.ApplicationID, r.UserOrgID, r.AuthTime, r.GetAMR() + case *RefreshTokenRequest: + return r.UserAgentID, r.ClientID, "", r.AuthTime, r.AuthMethodsReferences + case op.IDTokenRequest: + return "", r.GetClientID(), "", r.GetAuthTime(), r.GetAMR() + default: + return "", "", "", time.Time{}, nil } - refreshReq, ok := req.(*RefreshTokenRequest) - if ok { - return refreshReq.UserAgentID, refreshReq.ClientID, "", refreshReq.AuthTime, refreshReq.AuthMethodsReferences - } - return "", "", "", time.Time{}, nil } func (o *OPStorage) TokenRequestByRefreshToken(ctx context.Context, refreshToken string) (_ op.RefreshTokenRequest, err error) { diff --git a/internal/command/user_human_refresh_token.go b/internal/command/user_human_refresh_token.go index 6c643f801e..5416cc76d0 100644 --- a/internal/command/user_human_refresh_token.go +++ b/internal/command/user_human_refresh_token.go @@ -45,7 +45,7 @@ func (c *Commands) AddNewRefreshTokenAndAccessToken( refreshIdleExpiration time.Duration, authTime time.Time, ) (accessToken *domain.Token, newRefreshToken string, err error) { - if userID == "" || agentID == "" || clientID == "" { + if userID == "" || clientID == "" { return nil, "", zerrors.ThrowInvalidArgument(nil, "COMMAND-adg4r", "Errors.IDMissing") } userWriteModel := NewUserWriteModel(userID, orgID)